iPXE
Macros | Functions | Variables
x509.c File Reference

X.509 certificates. More...

#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <errno.h>
#include <assert.h>
#include <ipxe/list.h>
#include <ipxe/base16.h>
#include <ipxe/asn1.h>
#include <ipxe/crypto.h>
#include <ipxe/md5.h>
#include <ipxe/sha1.h>
#include <ipxe/sha256.h>
#include <ipxe/rsa.h>
#include <ipxe/rootcert.h>
#include <ipxe/certstore.h>
#include <ipxe/privkey.h>
#include <ipxe/socket.h>
#include <ipxe/in.h>
#include <ipxe/image.h>
#include <ipxe/ocsp.h>
#include <ipxe/x509.h>
#include <config/crypto.h>

Go to the source code of this file.

Macros

#define ENOTSUP_ALGORITHM   __einfo_error ( EINFO_ENOTSUP_ALGORITHM )
 
#define EINFO_ENOTSUP_ALGORITHM   __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" )
 
#define ENOTSUP_EXTENSION   __einfo_error ( EINFO_ENOTSUP_EXTENSION )
 
#define EINFO_ENOTSUP_EXTENSION   __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" )
 
#define EINVAL_ALGORITHM   __einfo_error ( EINFO_EINVAL_ALGORITHM )
 
#define EINFO_EINVAL_ALGORITHM   __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" )
 
#define EINVAL_ALGORITHM_MISMATCH   __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH )
 
#define EINFO_EINVAL_ALGORITHM_MISMATCH   __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" )
 
#define EINVAL_PATH_LEN   __einfo_error ( EINFO_EINVAL_PATH_LEN )
 
#define EINFO_EINVAL_PATH_LEN   __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" )
 
#define EINVAL_VERSION   __einfo_error ( EINFO_EINVAL_VERSION )
 
#define EINFO_EINVAL_VERSION   __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" )
 
#define EACCES_WRONG_ISSUER   __einfo_error ( EINFO_EACCES_WRONG_ISSUER )
 
#define EINFO_EACCES_WRONG_ISSUER   __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" )
 
#define EACCES_NOT_CA   __einfo_error ( EINFO_EACCES_NOT_CA )
 
#define EINFO_EACCES_NOT_CA   __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" )
 
#define EACCES_KEY_USAGE   __einfo_error ( EINFO_EACCES_KEY_USAGE )
 
#define EINFO_EACCES_KEY_USAGE   __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" )
 
#define EACCES_EXPIRED   __einfo_error ( EINFO_EACCES_EXPIRED )
 
#define EINFO_EACCES_EXPIRED   __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" )
 
#define EACCES_PATH_LEN   __einfo_error ( EINFO_EACCES_PATH_LEN )
 
#define EINFO_EACCES_PATH_LEN   __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )
 
#define EACCES_UNTRUSTED   __einfo_error ( EINFO_EACCES_UNTRUSTED )
 
#define EINFO_EACCES_UNTRUSTED   __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )
 
#define EACCES_OUT_OF_ORDER   __einfo_error ( EINFO_EACCES_OUT_OF_ORDER )
 
#define EINFO_EACCES_OUT_OF_ORDER   __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" )
 
#define EACCES_EMPTY   __einfo_error ( EINFO_EACCES_EMPTY )
 
#define EINFO_EACCES_EMPTY   __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )
 
#define EACCES_OCSP_REQUIRED   __einfo_error ( EINFO_EACCES_OCSP_REQUIRED )
 
#define EINFO_EACCES_OCSP_REQUIRED   __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )
 
#define EACCES_WRONG_NAME   __einfo_error ( EINFO_EACCES_WRONG_NAME )
 
#define EINFO_EACCES_WRONG_NAME   __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" )
 
#define EACCES_USELESS   __einfo_error ( EINFO_EACCES_USELESS )
 
#define EINFO_EACCES_USELESS   __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" )
 

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 
static void x509_free (struct refcnt *refcnt)
 Free X.509 certificate. More...
 
const char * x509_name (struct x509_certificate *cert)
 Get X.509 certificate display name. More...
 
static int x509_parse_version (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate version. More...
 
static int x509_parse_serial (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate serial number. More...
 
static int x509_parse_issuer (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate issuer. More...
 
static int x509_parse_validity (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate validity. More...
 
static int x509_parse_common_name (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate common name. More...
 
static int x509_parse_subject (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate subject. More...
 
static int x509_parse_public_key (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate public key information. More...
 
static int x509_parse_basic_constraints (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate basic constraints. More...
 
static int x509_parse_key_usage (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate key usage. More...
 
static int x509_parse_key_purpose (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate key purpose identifier. More...
 
static int x509_parse_extended_key_usage (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate extended key usage. More...
 
static int x509_parse_ocsp (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate OCSP access method. More...
 
static struct x509_access_methodx509_find_access_method (const struct asn1_cursor *oid)
 Identify X.509 access method by OID. More...
 
static int x509_parse_access_description (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate access description. More...
 
static int x509_parse_authority_info_access (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate authority information access. More...
 
static int x509_parse_subject_alt_name (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate subject alternative name. More...
 
static struct x509_extensionx509_find_extension (const struct asn1_cursor *oid)
 Identify X.509 extension by OID. More...
 
static int x509_parse_extension (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate extension. More...
 
static int x509_parse_extensions (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate extensions, if present. More...
 
static int x509_parse_tbscertificate (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate tbsCertificate. More...
 
int x509_parse (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate from ASN.1 data. More...
 
int x509_certificate (const void *data, size_t len, struct x509_certificate **cert)
 Create X.509 certificate. More...
 
static int x509_check_signature (struct x509_certificate *cert, struct x509_public_key *public_key)
 Check X.509 certificate signature. More...
 
int x509_check_issuer (struct x509_certificate *cert, struct x509_certificate *issuer)
 Check X.509 certificate against issuer certificate. More...
 
void x509_fingerprint (struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
 Calculate X.509 certificate fingerprint. More...
 
int x509_check_root (struct x509_certificate *cert, struct x509_root *root)
 Check X.509 root certificate. More...
 
int x509_check_time (struct x509_certificate *cert, time_t time)
 Check X.509 certificate validity period. More...
 
int x509_is_valid (struct x509_certificate *cert, struct x509_root *root)
 Check if X.509 certificate is valid. More...
 
static void x509_set_valid (struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
 Set X.509 certificate as validated. More...
 
int x509_validate (struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
 Validate X.509 certificate. More...
 
static int x509_check_dnsname (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
 Check X.509 certificate alternative dNSName. More...
 
static int x509_check_ipaddress (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
 Check X.509 certificate alternative iPAddress. More...
 
static int x509_check_alt_name (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
 Check X.509 certificate alternative name. More...
 
int x509_check_name (struct x509_certificate *cert, const char *name)
 Check X.509 certificate name. More...
 
static void x509_free_chain (struct refcnt *refcnt)
 Free X.509 certificate chain. More...
 
struct x509_chainx509_alloc_chain (void)
 Allocate X.509 certificate chain. More...
 
int x509_append (struct x509_chain *chain, struct x509_certificate *cert)
 Append X.509 certificate to X.509 certificate chain. More...
 
int x509_append_raw (struct x509_chain *chain, const void *data, size_t len)
 Append X.509 certificate to X.509 certificate chain. More...
 
void x509_truncate (struct x509_chain *chain, struct x509_link *link)
 Truncate X.509 certificate chain. More...
 
static struct x509_certificatex509_found (struct x509_chain *store, struct x509_certificate *cert)
 Mark X.509 certificate as found. More...
 
struct x509_certificatex509_find (struct x509_chain *store, const struct asn1_cursor *raw)
 Identify X.509 certificate by raw certificate data. More...
 
struct x509_certificatex509_find_subject (struct x509_chain *store, const struct asn1_cursor *subject)
 Identify X.509 certificate by subject. More...
 
struct x509_certificatex509_find_issuer_serial (struct x509_chain *store, const struct asn1_cursor *issuer, const struct asn1_cursor *serial)
 Identify X.509 certificate by issuer and serial number. More...
 
struct x509_certificatex509_find_key (struct x509_chain *store, struct private_key *key)
 Identify X.509 certificate by corresponding public key. More...
 
int x509_auto_append (struct x509_chain *chain, struct x509_chain *store)
 Append X.509 certificates to X.509 certificate chain. More...
 
int x509_validate_chain (struct x509_chain *chain, time_t time, struct x509_chain *store, struct x509_root *root)
 Validate X.509 certificate chain. More...
 
int image_x509 (struct image *image, size_t offset, struct x509_certificate **cert)
 Extract X.509 certificate object from image. More...
 
 REQUIRING_SYMBOL (x509_validate)
 
 REQUIRE_OBJECT (certstore)
 
 REQUIRE_OBJECT (config_crypto)
 

Variables

static uint8_t oid_common_name [] = { ASN1_OID_COMMON_NAME }
 "commonName" object identifier More...
 
static struct asn1_cursor oid_common_name_cursor
 "commonName" object identifier cursor More...
 
static uint8_t oid_code_signing [] = { ASN1_OID_CODESIGNING }
 "id-kp-codeSigning" object identifier More...
 
static uint8_t oid_ocsp_signing [] = { ASN1_OID_OCSPSIGNING }
 "id-kp-OCSPSigning" object identifier More...
 
static struct x509_key_purpose x509_key_purposes []
 Supported key purposes. More...
 
static uint8_t oid_ad_ocsp [] = { ASN1_OID_OCSP }
 "id-ad-ocsp" object identifier More...
 
static struct x509_access_method x509_access_methods []
 Supported access methods. More...
 
static uint8_t oid_ce_basic_constraints []
 "id-ce-basicConstraints" object identifier More...
 
static uint8_t oid_ce_key_usage []
 "id-ce-keyUsage" object identifier More...
 
static uint8_t oid_ce_ext_key_usage []
 "id-ce-extKeyUsage" object identifier More...
 
static uint8_t oid_pe_authority_info_access []
 "id-pe-authorityInfoAccess" object identifier More...
 
static uint8_t oid_ce_subject_alt_name []
 "id-ce-subjectAltName" object identifier More...
 
static struct x509_extension x509_extensions []
 Supported certificate extensions. More...
 

Detailed Description

X.509 certificates.

The structure of X.509v3 certificates is documented in RFC 5280 section 4.1.

Definition in file x509.c.

Macro Definition Documentation

◆ ENOTSUP_ALGORITHM

#define ENOTSUP_ALGORITHM   __einfo_error ( EINFO_ENOTSUP_ALGORITHM )

Definition at line 58 of file x509.c.

◆ EINFO_ENOTSUP_ALGORITHM

#define EINFO_ENOTSUP_ALGORITHM   __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" )

Definition at line 60 of file x509.c.

◆ ENOTSUP_EXTENSION

#define ENOTSUP_EXTENSION   __einfo_error ( EINFO_ENOTSUP_EXTENSION )

Definition at line 62 of file x509.c.

◆ EINFO_ENOTSUP_EXTENSION

#define EINFO_ENOTSUP_EXTENSION   __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" )

Definition at line 64 of file x509.c.

◆ EINVAL_ALGORITHM

#define EINVAL_ALGORITHM   __einfo_error ( EINFO_EINVAL_ALGORITHM )

Definition at line 66 of file x509.c.

◆ EINFO_EINVAL_ALGORITHM

#define EINFO_EINVAL_ALGORITHM   __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" )

Definition at line 68 of file x509.c.

◆ EINVAL_ALGORITHM_MISMATCH

#define EINVAL_ALGORITHM_MISMATCH   __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH )

Definition at line 70 of file x509.c.

◆ EINFO_EINVAL_ALGORITHM_MISMATCH

#define EINFO_EINVAL_ALGORITHM_MISMATCH   __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" )

Definition at line 72 of file x509.c.

◆ EINVAL_PATH_LEN

#define EINVAL_PATH_LEN   __einfo_error ( EINFO_EINVAL_PATH_LEN )

Definition at line 74 of file x509.c.

◆ EINFO_EINVAL_PATH_LEN

#define EINFO_EINVAL_PATH_LEN   __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" )

Definition at line 76 of file x509.c.

◆ EINVAL_VERSION

#define EINVAL_VERSION   __einfo_error ( EINFO_EINVAL_VERSION )

Definition at line 78 of file x509.c.

◆ EINFO_EINVAL_VERSION

#define EINFO_EINVAL_VERSION   __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" )

Definition at line 80 of file x509.c.

◆ EACCES_WRONG_ISSUER

#define EACCES_WRONG_ISSUER   __einfo_error ( EINFO_EACCES_WRONG_ISSUER )

Definition at line 82 of file x509.c.

◆ EINFO_EACCES_WRONG_ISSUER

#define EINFO_EACCES_WRONG_ISSUER   __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" )

Definition at line 84 of file x509.c.

◆ EACCES_NOT_CA

#define EACCES_NOT_CA   __einfo_error ( EINFO_EACCES_NOT_CA )

Definition at line 86 of file x509.c.

◆ EINFO_EACCES_NOT_CA

#define EINFO_EACCES_NOT_CA   __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" )

Definition at line 88 of file x509.c.

◆ EACCES_KEY_USAGE

#define EACCES_KEY_USAGE   __einfo_error ( EINFO_EACCES_KEY_USAGE )

Definition at line 90 of file x509.c.

◆ EINFO_EACCES_KEY_USAGE

#define EINFO_EACCES_KEY_USAGE   __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" )

Definition at line 92 of file x509.c.

◆ EACCES_EXPIRED

#define EACCES_EXPIRED   __einfo_error ( EINFO_EACCES_EXPIRED )

Definition at line 94 of file x509.c.

◆ EINFO_EACCES_EXPIRED

#define EINFO_EACCES_EXPIRED   __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" )

Definition at line 96 of file x509.c.

◆ EACCES_PATH_LEN

#define EACCES_PATH_LEN   __einfo_error ( EINFO_EACCES_PATH_LEN )

Definition at line 98 of file x509.c.

◆ EINFO_EACCES_PATH_LEN

#define EINFO_EACCES_PATH_LEN   __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )

Definition at line 100 of file x509.c.

◆ EACCES_UNTRUSTED

#define EACCES_UNTRUSTED   __einfo_error ( EINFO_EACCES_UNTRUSTED )

Definition at line 102 of file x509.c.

◆ EINFO_EACCES_UNTRUSTED

#define EINFO_EACCES_UNTRUSTED   __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )

Definition at line 104 of file x509.c.

◆ EACCES_OUT_OF_ORDER

#define EACCES_OUT_OF_ORDER   __einfo_error ( EINFO_EACCES_OUT_OF_ORDER )

Definition at line 106 of file x509.c.

◆ EINFO_EACCES_OUT_OF_ORDER

#define EINFO_EACCES_OUT_OF_ORDER   __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" )

Definition at line 108 of file x509.c.

◆ EACCES_EMPTY

#define EACCES_EMPTY   __einfo_error ( EINFO_EACCES_EMPTY )

Definition at line 110 of file x509.c.

◆ EINFO_EACCES_EMPTY

#define EINFO_EACCES_EMPTY   __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )

Definition at line 112 of file x509.c.

◆ EACCES_OCSP_REQUIRED

#define EACCES_OCSP_REQUIRED   __einfo_error ( EINFO_EACCES_OCSP_REQUIRED )

Definition at line 114 of file x509.c.

◆ EINFO_EACCES_OCSP_REQUIRED

#define EINFO_EACCES_OCSP_REQUIRED   __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )

Definition at line 116 of file x509.c.

◆ EACCES_WRONG_NAME

#define EACCES_WRONG_NAME   __einfo_error ( EINFO_EACCES_WRONG_NAME )

Definition at line 118 of file x509.c.

◆ EINFO_EACCES_WRONG_NAME

#define EINFO_EACCES_WRONG_NAME   __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" )

Definition at line 120 of file x509.c.

◆ EACCES_USELESS

#define EACCES_USELESS   __einfo_error ( EINFO_EACCES_USELESS )

Definition at line 122 of file x509.c.

◆ EINFO_EACCES_USELESS

#define EINFO_EACCES_USELESS   __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" )

Definition at line 124 of file x509.c.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )

◆ x509_free()

static void x509_free ( struct refcnt refcnt)
static

Free X.509 certificate.

Parameters
refcntReference count

Definition at line 132 of file x509.c.

132  {
133  struct x509_certificate *cert =
135 
136  x509_root_put ( cert->root );
137  free ( cert );
138 }
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition: x509.h:403
A reference counter.
Definition: refcnt.h:26
#define container_of(ptr, type, field)
Get containing structure.
Definition: stddef.h:35
struct x509_root * root
Root against which certificate has been validated (if any)
Definition: x509.h:225
An X.509 certificate.
Definition: x509.h:215
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54

References container_of, free, x509_certificate::root, and x509_root_put().

Referenced by x509_certificate().

◆ x509_name()

const char* x509_name ( struct x509_certificate cert)

Get X.509 certificate display name.

Parameters
certX.509 certificate
Return values
nameDisplay name

Definition at line 146 of file x509.c.

146  {
147  struct asn1_cursor *common_name = &cert->subject.common_name;
148  struct digest_algorithm *digest = &sha1_algorithm;
149  static char buf[64];
150  uint8_t fingerprint[ digest->digestsize ];
151  size_t len;
152 
153  len = common_name->len;
154  if ( len ) {
155  /* Certificate has a commonName: use that */
156  if ( len > ( sizeof ( buf ) - 1 /* NUL */ ) )
157  len = ( sizeof ( buf ) - 1 /* NUL */ );
158  memcpy ( buf, common_name->data, len );
159  buf[len] = '\0';
160  } else {
161  /* Certificate has no commonName: use SHA-1 fingerprint */
162  x509_fingerprint ( cert, digest, fingerprint );
163  base16_encode ( fingerprint, sizeof ( fingerprint ),
164  buf, sizeof ( buf ) );
165  }
166  return buf;
167 }
const void * data
Start of data.
Definition: asn1.h:22
size_t len
Length of data.
Definition: asn1.h:24
void * memcpy(void *dest, const void *src, size_t len) __nonnull
struct x509_subject subject
Subject.
Definition: x509.h:244
unsigned char uint8_t
Definition: stdint.h:10
void x509_fingerprint(struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
Calculate X.509 certificate fingerprint.
Definition: x509.c:1234
struct asn1_cursor common_name
Common name.
Definition: x509.h:63
size_t digestsize
Digest size.
Definition: crypto.h:26
A message digest algorithm.
Definition: crypto.h:18
uint32_t len
Length.
Definition: ena.h:14
An ASN.1 object cursor.
Definition: asn1.h:20
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition: sha1.c:257

References x509_subject::common_name, asn1_cursor::data, digest_algorithm::digestsize, len, asn1_cursor::len, memcpy(), sha1_algorithm, x509_certificate::subject, and x509_fingerprint().

Referenced by certstat(), certstore_add(), certstore_apply_settings(), certstore_del(), certstore_found(), certstore_init(), cms_parse_certificates(), icert_encode(), ocsp_check_signature(), ocsp_parse_basic_response(), ocsp_parse_cert_id(), ocsp_parse_certs(), ocsp_parse_responder_id(), ocsp_parse_response_status(), ocsp_parse_response_type(), ocsp_parse_responses(), ocsp_request(), ocsp_uri_string(), ocsp_validate(), tls_new_certificate_request(), tls_parse_chain(), tls_send_certificate(), validator_append(), validator_name(), validator_ocsp_validate(), validator_progress(), validator_start_download(), validator_start_ocsp(), validator_step(), x509_append(), x509_check_alt_name(), x509_check_dnsname(), x509_check_ipaddress(), x509_check_issuer(), x509_check_name(), x509_check_root(), x509_check_signature(), x509_check_time(), x509_parse_subject(), and x509_validate().

◆ x509_parse_version()

static int x509_parse_version ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate version.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 183 of file x509.c.

184  {
185  struct asn1_cursor cursor;
186  int version;
187  int rc;
188 
189  /* Enter version */
190  memcpy ( &cursor, raw, sizeof ( cursor ) );
191  asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 0 ) );
192 
193  /* Parse integer */
194  if ( ( rc = asn1_integer ( &cursor, &version ) ) != 0 ) {
195  DBGC ( cert, "X509 %p cannot parse version: %s\n",
196  cert, strerror ( rc ) );
197  DBGC_HDA ( cert, 0, raw->data, raw->len );
198  return rc;
199  }
200 
201  /* Sanity check */
202  if ( version < 0 ) {
203  DBGC ( cert, "X509 %p invalid version %d\n", cert, version );
204  DBGC_HDA ( cert, 0, raw->data, raw->len );
205  return -EINVAL_VERSION;
206  }
207 
208  /* Record version */
209  cert->version = version;
210  DBGC2 ( cert, "X509 %p is a version %d certificate\n",
211  cert, ( cert->version + 1 ) );
212 
213  return 0;
214 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
#define DBGC(...)
Definition: compiler.h:505
void * memcpy(void *dest, const void *src, size_t len) __nonnull
u32 version
Driver version.
Definition: ath9k_hw.c:1983
#define EINVAL_VERSION
Definition: x509.c:78
#define DBGC_HDA(...)
Definition: compiler.h:506
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
#define DBGC2(...)
Definition: compiler.h:522
unsigned int version
Version.
Definition: x509.h:232
int asn1_integer(const struct asn1_cursor *cursor, int *value)
Parse value of ASN.1 integer.
Definition: asn1.c:357
__be32 raw[7]
Definition: CIB_PRM.h:28
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
Definition: asn1.h:98
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_EXPLICIT_TAG, asn1_integer(), DBGC, DBGC2, DBGC_HDA, EINVAL_VERSION, memcpy(), raw, rc, strerror(), x509_certificate::version, and version.

Referenced by x509_parse_tbscertificate().

◆ x509_parse_serial()

static int x509_parse_serial ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate serial number.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 223 of file x509.c.

224  {
225  struct x509_serial *serial = &cert->serial;
226  int rc;
227 
228  /* Record raw serial number */
229  memcpy ( &serial->raw, raw, sizeof ( serial->raw ) );
230  if ( ( rc = asn1_shrink ( &serial->raw, ASN1_INTEGER ) ) != 0 ) {
231  DBGC ( cert, "X509 %p cannot shrink serialNumber: %s\n",
232  cert, strerror ( rc ) );
233  return rc;
234  }
235  DBGC2 ( cert, "X509 %p issuer is:\n", cert );
236  DBGC2_HDA ( cert, 0, serial->raw.data, serial->raw.len );
237 
238  return 0;
239 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
#define DBGC(...)
Definition: compiler.h:505
int asn1_shrink(struct asn1_cursor *cursor, unsigned int type)
Shrink ASN.1 cursor to fit object.
Definition: asn1.c:277
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define DBGC2_HDA(...)
Definition: compiler.h:523
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
struct x509_serial serial
Serial number.
Definition: x509.h:234
uint64_t serial
Serial number.
Definition: edd.h:30
#define ASN1_INTEGER
ASN.1 integer.
Definition: asn1.h:62
An X.509 serial number.
Definition: x509.h:23
#define DBGC2(...)
Definition: compiler.h:522
__be32 raw[7]
Definition: CIB_PRM.h:28

References ASN1_INTEGER, asn1_shrink(), DBGC, DBGC2, DBGC2_HDA, memcpy(), raw, rc, serial, x509_certificate::serial, and strerror().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_issuer()

static int x509_parse_issuer ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate issuer.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 248 of file x509.c.

249  {
250  struct x509_issuer *issuer = &cert->issuer;
251  int rc;
252 
253  /* Record raw issuer */
254  memcpy ( &issuer->raw, raw, sizeof ( issuer->raw ) );
255  if ( ( rc = asn1_shrink ( &issuer->raw, ASN1_SEQUENCE ) ) != 0 ) {
256  DBGC ( cert, "X509 %p cannot shrink issuer: %s\n",
257  cert, strerror ( rc ) );
258  return rc;
259  }
260  DBGC2 ( cert, "X509 %p issuer is:\n", cert );
261  DBGC2_HDA ( cert, 0, issuer->raw.data, issuer->raw.len );
262 
263  return 0;
264 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct asn1_cursor raw
Raw issuer.
Definition: x509.h:31
struct x509_issuer issuer
Issuer.
Definition: x509.h:240
const void * data
Start of data.
Definition: asn1.h:22
#define DBGC(...)
Definition: compiler.h:505
size_t len
Length of data.
Definition: asn1.h:24
int asn1_shrink(struct asn1_cursor *cursor, unsigned int type)
Shrink ASN.1 cursor to fit object.
Definition: asn1.c:277
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define DBGC2_HDA(...)
Definition: compiler.h:523
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
An X.509 issuer.
Definition: x509.h:29
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
#define DBGC2(...)
Definition: compiler.h:522
__be32 raw[7]
Definition: CIB_PRM.h:28

References ASN1_SEQUENCE, asn1_shrink(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, x509_certificate::issuer, asn1_cursor::len, memcpy(), raw, x509_issuer::raw, rc, and strerror().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_validity()

static int x509_parse_validity ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate validity.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 273 of file x509.c.

274  {
275  struct x509_validity *validity = &cert->validity;
276  struct x509_time *not_before = &validity->not_before;
277  struct x509_time *not_after = &validity->not_after;
278  struct asn1_cursor cursor;
279  int rc;
280 
281  /* Enter validity */
282  memcpy ( &cursor, raw, sizeof ( cursor ) );
283  asn1_enter ( &cursor, ASN1_SEQUENCE );
284 
285  /* Parse notBefore */
286  if ( ( rc = asn1_generalized_time ( &cursor,
287  &not_before->time ) ) != 0 ) {
288  DBGC ( cert, "X509 %p cannot parse notBefore: %s\n",
289  cert, strerror ( rc ) );
290  return rc;
291  }
292  DBGC2 ( cert, "X509 %p valid from time %lld\n",
293  cert, not_before->time );
294  asn1_skip_any ( &cursor );
295 
296  /* Parse notAfter */
297  if ( ( rc = asn1_generalized_time ( &cursor,
298  &not_after->time ) ) != 0 ) {
299  DBGC ( cert, "X509 %p cannot parse notAfter: %s\n",
300  cert, strerror ( rc ) );
301  return rc;
302  }
303  DBGC2 ( cert, "X509 %p valid until time %lld\n",
304  cert, not_after->time );
305 
306  return 0;
307 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
int asn1_generalized_time(const struct asn1_cursor *cursor, time_t *time)
Parse ASN.1 GeneralizedTime.
Definition: asn1.c:751
#define DBGC(...)
Definition: compiler.h:505
time_t time
Seconds since the Epoch.
Definition: x509.h:37
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
void * memcpy(void *dest, const void *src, size_t len) __nonnull
struct x509_time not_before
Not valid before.
Definition: x509.h:43
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
An X.509 certificate validity period.
Definition: x509.h:41
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
struct x509_validity validity
Validity.
Definition: x509.h:242
An X.509 time.
Definition: x509.h:35
#define DBGC2(...)
Definition: compiler.h:522
struct x509_time not_after
Not valid after.
Definition: x509.h:45
__be32 raw[7]
Definition: CIB_PRM.h:28
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), asn1_generalized_time(), ASN1_SEQUENCE, asn1_skip_any(), DBGC, DBGC2, memcpy(), x509_validity::not_after, x509_validity::not_before, raw, rc, strerror(), x509_time::time, and x509_certificate::validity.

Referenced by x509_parse_tbscertificate().

◆ x509_parse_common_name()

static int x509_parse_common_name ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate common name.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 316 of file x509.c.

317  {
318  struct asn1_cursor cursor;
319  struct asn1_cursor oid_cursor;
320  struct asn1_cursor name_cursor;
321  int rc;
322 
323  /* Enter name */
324  memcpy ( &cursor, raw, sizeof ( cursor ) );
325  asn1_enter ( &cursor, ASN1_SEQUENCE );
326 
327  /* Scan through name list */
328  for ( ; cursor.len ; asn1_skip_any ( &cursor ) ) {
329 
330  /* Check for "commonName" OID */
331  memcpy ( &oid_cursor, &cursor, sizeof ( oid_cursor ) );
332  asn1_enter ( &oid_cursor, ASN1_SET );
333  asn1_enter ( &oid_cursor, ASN1_SEQUENCE );
334  memcpy ( &name_cursor, &oid_cursor, sizeof ( name_cursor ) );
335  asn1_enter ( &oid_cursor, ASN1_OID );
336  if ( asn1_compare ( &oid_common_name_cursor, &oid_cursor ) != 0)
337  continue;
338  asn1_skip_any ( &name_cursor );
339  if ( ( rc = asn1_enter_any ( &name_cursor ) ) != 0 ) {
340  DBGC ( cert, "X509 %p cannot locate name:\n", cert );
341  DBGC_HDA ( cert, 0, raw->data, raw->len );
342  return rc;
343  }
344 
345  /* Record common name */
346  memcpy ( &cert->subject.common_name, &name_cursor,
347  sizeof ( cert->subject.common_name ) );
348 
349  return 0;
350  }
351 
352  /* Certificates may not have a commonName */
353  DBGC2 ( cert, "X509 %p no commonName found:\n", cert );
354  return 0;
355 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:480
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
#define DBGC(...)
Definition: compiler.h:505
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
#define ASN1_SET
ASN.1 set.
Definition: asn1.h:92
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define DBGC_HDA(...)
Definition: compiler.h:506
struct x509_subject subject
Subject.
Definition: x509.h:244
static struct asn1_cursor oid_common_name_cursor
"commonName" object identifier cursor
Definition: x509.c:173
int asn1_enter_any(struct asn1_cursor *cursor)
Enter ASN.1 object of any type.
Definition: asn1.c:303
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
struct asn1_cursor common_name
Common name.
Definition: x509.h:63
#define ASN1_OID
ASN.1 object identifier.
Definition: asn1.h:74
#define DBGC2(...)
Definition: compiler.h:522
__be32 raw[7]
Definition: CIB_PRM.h:28
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_compare(), asn1_enter(), asn1_enter_any(), ASN1_OID, ASN1_SEQUENCE, ASN1_SET, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, DBGC_HDA, asn1_cursor::len, memcpy(), oid_common_name_cursor, raw, rc, and x509_certificate::subject.

Referenced by x509_parse_subject().

◆ x509_parse_subject()

static int x509_parse_subject ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate subject.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 364 of file x509.c.

365  {
366  struct x509_subject *subject = &cert->subject;
367  int rc;
368 
369  /* Record raw subject */
370  memcpy ( &subject->raw, raw, sizeof ( subject->raw ) );
371  asn1_shrink_any ( &subject->raw );
372  DBGC2 ( cert, "X509 %p subject is:\n", cert );
373  DBGC2_HDA ( cert, 0, subject->raw.data, subject->raw.len );
374 
375  /* Parse common name */
376  if ( ( rc = x509_parse_common_name ( cert, raw ) ) != 0 )
377  return rc;
378  DBGC2 ( cert, "X509 %p common name is \"%s\":\n", cert,
379  x509_name ( cert ) );
380 
381  return 0;
382 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
const void * data
Start of data.
Definition: asn1.h:22
size_t len
Length of data.
Definition: asn1.h:24
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define DBGC2_HDA(...)
Definition: compiler.h:523
struct x509_subject subject
Subject.
Definition: x509.h:244
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition: asn1.c:323
static int x509_parse_common_name(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate common name.
Definition: x509.c:316
struct asn1_cursor raw
Raw subject.
Definition: x509.h:61
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
#define DBGC2(...)
Definition: compiler.h:522
An X.509 certificate subject.
Definition: x509.h:59
__be32 raw[7]
Definition: CIB_PRM.h:28

References asn1_shrink_any(), asn1_cursor::data, DBGC2, DBGC2_HDA, asn1_cursor::len, memcpy(), raw, x509_subject::raw, rc, x509_certificate::subject, x509_name(), and x509_parse_common_name().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_public_key()

static int x509_parse_public_key ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate public key information.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 391 of file x509.c.

392  {
393  struct x509_public_key *public_key = &cert->subject.public_key;
394  struct asn1_algorithm **algorithm = &public_key->algorithm;
395  struct asn1_bit_string *raw_bits = &public_key->raw_bits;
396  struct asn1_cursor cursor;
397  int rc;
398 
399  /* Record raw subjectPublicKeyInfo */
400  memcpy ( &cursor, raw, sizeof ( cursor ) );
401  asn1_shrink_any ( &cursor );
402  memcpy ( &public_key->raw, &cursor, sizeof ( public_key->raw ) );
403  DBGC2 ( cert, "X509 %p public key is:\n", cert );
404  DBGC2_HDA ( cert, 0, public_key->raw.data, public_key->raw.len );
405 
406  /* Enter subjectPublicKeyInfo */
407  asn1_enter ( &cursor, ASN1_SEQUENCE );
408 
409  /* Parse algorithm */
410  if ( ( rc = asn1_pubkey_algorithm ( &cursor, algorithm ) ) != 0 ) {
411  DBGC ( cert, "X509 %p could not parse public key algorithm: "
412  "%s\n", cert, strerror ( rc ) );
413  return rc;
414  }
415  DBGC2 ( cert, "X509 %p public key algorithm is %s\n",
416  cert, (*algorithm)->name );
417  asn1_skip_any ( &cursor );
418 
419  /* Parse bit string */
420  if ( ( rc = asn1_bit_string ( &cursor, raw_bits ) ) != 0 ) {
421  DBGC ( cert, "X509 %p could not parse public key bits: %s\n",
422  cert, strerror ( rc ) );
423  return rc;
424  }
425 
426  return 0;
427 }
struct asn1_bit_string raw_bits
Raw public key bit string.
Definition: x509.h:55
An ASN.1 OID-identified algorithm.
Definition: asn1.h:366
struct asn1_cursor raw
Raw public key information.
Definition: x509.h:51
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
const void * data
Start of data.
Definition: asn1.h:22
#define DBGC(...)
Definition: compiler.h:505
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
size_t len
Length of data.
Definition: asn1.h:24
void * memcpy(void *dest, const void *src, size_t len) __nonnull
An X.509 certificate public key.
Definition: x509.h:49
struct x509_public_key public_key
Public key information.
Definition: x509.h:65
#define DBGC2_HDA(...)
Definition: compiler.h:523
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
struct x509_subject subject
Subject.
Definition: x509.h:244
int asn1_pubkey_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified public-key algorithm.
Definition: asn1.c:566
struct asn1_algorithm * algorithm
Public key algorithm.
Definition: x509.h:53
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition: asn1.c:323
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
u16 algorithm
Authentication algorithm (Open System or Shared Key)
Definition: ieee80211.h:1030
#define DBGC2(...)
Definition: compiler.h:522
__be32 raw[7]
Definition: CIB_PRM.h:28
An ASN.1 object cursor.
Definition: asn1.h:20
An ASN.1 bit string.
Definition: asn1.h:420

References x509_public_key::algorithm, algorithm, asn1_enter(), asn1_pubkey_algorithm(), ASN1_SEQUENCE, asn1_shrink_any(), asn1_skip_any(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, asn1_cursor::len, memcpy(), x509_subject::public_key, raw, x509_public_key::raw, x509_public_key::raw_bits, rc, strerror(), and x509_certificate::subject.

Referenced by x509_parse_tbscertificate().

◆ x509_parse_basic_constraints()

static int x509_parse_basic_constraints ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate basic constraints.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 436 of file x509.c.

437  {
438  struct x509_basic_constraints *basic = &cert->extensions.basic;
439  struct asn1_cursor cursor;
440  int ca = 0;
441  int path_len;
442  int rc;
443 
444  /* Enter basicConstraints */
445  memcpy ( &cursor, raw, sizeof ( cursor ) );
446  asn1_enter ( &cursor, ASN1_SEQUENCE );
447 
448  /* Parse "cA", if present */
449  if ( asn1_type ( &cursor ) == ASN1_BOOLEAN ) {
450  ca = asn1_boolean ( &cursor );
451  if ( ca < 0 ) {
452  rc = ca;
453  DBGC ( cert, "X509 %p cannot parse cA: %s\n",
454  cert, strerror ( rc ) );
455  DBGC_HDA ( cert, 0, raw->data, raw->len );
456  return rc;
457  }
458  asn1_skip_any ( &cursor );
459  }
460  basic->ca = ca;
461  DBGC2 ( cert, "X509 %p is %sa CA certificate\n",
462  cert, ( basic->ca ? "" : "not " ) );
463 
464  /* Ignore everything else unless "cA" is true */
465  if ( ! ca )
466  return 0;
467 
468  /* Parse "pathLenConstraint", if present and applicable */
470  if ( asn1_type ( &cursor ) == ASN1_INTEGER ) {
471  if ( ( rc = asn1_integer ( &cursor, &path_len ) ) != 0 ) {
472  DBGC ( cert, "X509 %p cannot parse pathLenConstraint: "
473  "%s\n", cert, strerror ( rc ) );
474  DBGC_HDA ( cert, 0, raw->data, raw->len );
475  return rc;
476  }
477  if ( path_len < 0 ) {
478  DBGC ( cert, "X509 %p invalid pathLenConstraint %d\n",
479  cert, path_len );
480  DBGC_HDA ( cert, 0, raw->data, raw->len );
481  return -EINVAL;
482  }
483  basic->path_len = path_len;
484  DBGC2 ( cert, "X509 %p path length constraint is %d\n",
485  cert, basic->path_len );
486  }
487 
488  return 0;
489 }
#define EINVAL
Invalid argument.
Definition: errno.h:428
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
unsigned int path_len
Path length.
Definition: x509.h:81
An X.509 certificate basic constraints set.
Definition: x509.h:77
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
#define ASN1_BOOLEAN
ASN.1 boolean.
Definition: asn1.h:59
#define DBGC(...)
Definition: compiler.h:505
static unsigned int asn1_type(const struct asn1_cursor *cursor)
Extract ASN.1 type.
Definition: asn1.h:446
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
void * memcpy(void *dest, const void *src, size_t len) __nonnull
int asn1_boolean(const struct asn1_cursor *cursor)
Parse value of ASN.1 boolean.
Definition: asn1.c:333
#define DBGC_HDA(...)
Definition: compiler.h:506
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
int ca
Subject is a CA.
Definition: x509.h:79
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
#define ASN1_INTEGER
ASN.1 integer.
Definition: asn1.h:62
#define DBGC2(...)
Definition: compiler.h:522
int asn1_integer(const struct asn1_cursor *cursor, int *value)
Parse value of ASN.1 integer.
Definition: asn1.c:357
#define X509_PATH_LEN_UNLIMITED
Unlimited path length.
Definition: x509.h:89
__be32 raw[7]
Definition: CIB_PRM.h:28
An ASN.1 object cursor.
Definition: asn1.h:20
struct x509_basic_constraints basic
Basic constraints.
Definition: x509.h:158
struct x509_extensions extensions
Extensions.
Definition: x509.h:248

References ASN1_BOOLEAN, asn1_boolean(), asn1_enter(), ASN1_INTEGER, asn1_integer(), ASN1_SEQUENCE, asn1_skip_any(), asn1_type(), x509_extensions::basic, x509_basic_constraints::ca, DBGC, DBGC2, DBGC_HDA, EINVAL, x509_certificate::extensions, memcpy(), x509_basic_constraints::path_len, raw, rc, strerror(), and X509_PATH_LEN_UNLIMITED.

◆ x509_parse_key_usage()

static int x509_parse_key_usage ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate key usage.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 498 of file x509.c.

499  {
500  struct x509_key_usage *usage = &cert->extensions.usage;
501  struct asn1_bit_string bit_string;
502  const uint8_t *bytes;
503  size_t len;
504  unsigned int i;
505  int rc;
506 
507  /* Mark extension as present */
508  usage->present = 1;
509 
510  /* Parse bit string */
511  if ( ( rc = asn1_bit_string ( raw, &bit_string ) ) != 0 ) {
512  DBGC ( cert, "X509 %p could not parse key usage: %s\n",
513  cert, strerror ( rc ) );
514  return rc;
515  }
516 
517  /* Parse key usage bits */
518  bytes = bit_string.data;
519  len = bit_string.len;
520  if ( len > sizeof ( usage->bits ) )
521  len = sizeof ( usage->bits );
522  for ( i = 0 ; i < len ; i++ ) {
523  usage->bits |= ( *(bytes++) << ( 8 * i ) );
524  }
525  DBGC2 ( cert, "X509 %p key usage is %08x\n", cert, usage->bits );
526 
527  return 0;
528 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
#define DBGC(...)
Definition: compiler.h:505
int present
Key usage extension is present.
Definition: x509.h:94
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
unsigned char uint8_t
Definition: stdint.h:10
An X.509 certificate key usage.
Definition: x509.h:92
#define DBGC2(...)
Definition: compiler.h:522
unsigned int bits
Usage bits.
Definition: x509.h:96
__be32 raw[7]
Definition: CIB_PRM.h:28
struct x509_key_usage usage
Key usage.
Definition: x509.h:160
uint8_t bytes[64]
Definition: ib_mad.h:16
uint32_t len
Length.
Definition: ena.h:14
struct x509_extensions extensions
Extensions.
Definition: x509.h:248
An ASN.1 bit string.
Definition: asn1.h:420

References x509_key_usage::bits, bytes, asn1_bit_string::data, DBGC, DBGC2, x509_certificate::extensions, len, asn1_bit_string::len, x509_key_usage::present, raw, rc, strerror(), and x509_extensions::usage.

◆ x509_parse_key_purpose()

static int x509_parse_key_purpose ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate key purpose identifier.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 557 of file x509.c.

558  {
559  struct x509_extended_key_usage *ext_usage = &cert->extensions.ext_usage;
560  struct x509_key_purpose *purpose;
561  struct asn1_cursor cursor;
562  unsigned int i;
563  int rc;
564 
565  /* Enter keyPurposeId */
566  memcpy ( &cursor, raw, sizeof ( cursor ) );
567  if ( ( rc = asn1_enter ( &cursor, ASN1_OID ) ) != 0 ) {
568  DBGC ( cert, "X509 %p invalid keyPurposeId:\n", cert );
569  DBGC_HDA ( cert, 0, raw->data, raw->len );
570  return rc;
571  }
572 
573  /* Identify key purpose */
574  for ( i = 0 ; i < ( sizeof ( x509_key_purposes ) /
575  sizeof ( x509_key_purposes[0] ) ) ; i++ ) {
576  purpose = &x509_key_purposes[i];
577  if ( asn1_compare ( &cursor, &purpose->oid ) == 0 ) {
578  DBGC2 ( cert, "X509 %p has key purpose %s\n",
579  cert, purpose->name );
580  ext_usage->bits |= purpose->bits;
581  return 0;
582  }
583  }
584 
585  /* Ignore unrecognised key purposes */
586  return 0;
587 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct x509_extended_key_usage ext_usage
Extended key usage.
Definition: x509.h:162
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:480
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
unsigned int bits
Usage bits.
Definition: x509.h:115
const char * name
Name.
Definition: x509.h:350
#define DBGC(...)
Definition: compiler.h:505
struct asn1_cursor oid
Object identifier.
Definition: x509.h:352
An X.509 key purpose.
Definition: x509.h:348
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define DBGC_HDA(...)
Definition: compiler.h:506
static struct x509_key_purpose x509_key_purposes[]
Supported key purposes.
Definition: x509.c:537
unsigned int bits
Extended key usage bits.
Definition: x509.h:354
#define ASN1_OID
ASN.1 object identifier.
Definition: asn1.h:74
An X.509 certificate extended key usage.
Definition: x509.h:113
#define DBGC2(...)
Definition: compiler.h:522
__be32 raw[7]
Definition: CIB_PRM.h:28
An ASN.1 object cursor.
Definition: asn1.h:20
struct x509_extensions extensions
Extensions.
Definition: x509.h:248

References asn1_compare(), asn1_enter(), ASN1_OID, x509_extended_key_usage::bits, x509_key_purpose::bits, DBGC, DBGC2, DBGC_HDA, x509_extensions::ext_usage, x509_certificate::extensions, memcpy(), x509_key_purpose::name, x509_key_purpose::oid, raw, rc, and x509_key_purposes.

Referenced by x509_parse_extended_key_usage().

◆ x509_parse_extended_key_usage()

static int x509_parse_extended_key_usage ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate extended key usage.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 596 of file x509.c.

597  {
598  struct asn1_cursor cursor;
599  int rc;
600 
601  /* Enter extKeyUsage */
602  memcpy ( &cursor, raw, sizeof ( cursor ) );
603  asn1_enter ( &cursor, ASN1_SEQUENCE );
604 
605  /* Parse each extended key usage in turn */
606  while ( cursor.len ) {
607  if ( ( rc = x509_parse_key_purpose ( cert, &cursor ) ) != 0 )
608  return rc;
609  asn1_skip_any ( &cursor );
610  }
611 
612  return 0;
613 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
static int x509_parse_key_purpose(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate key purpose identifier.
Definition: x509.c:557
__be32 raw[7]
Definition: CIB_PRM.h:28
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_key_purpose().

◆ x509_parse_ocsp()

static int x509_parse_ocsp ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate OCSP access method.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 622 of file x509.c.

623  {
624  struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp;
625  struct asn1_cursor *uri = &ocsp->uri;
626  int rc;
627 
628  /* Enter accessLocation */
629  memcpy ( uri, raw, sizeof ( *uri ) );
630  if ( ( rc = asn1_enter ( uri, X509_GENERAL_NAME_URI ) ) != 0 ) {
631  DBGC ( cert, "X509 %p OCSP does not contain "
632  "uniformResourceIdentifier:\n", cert );
633  DBGC_HDA ( cert, 0, raw->data, raw->len );
634  return rc;
635  }
636  DBGC2 ( cert, "X509 %p OCSP URI is:\n", cert );
637  DBGC2_HDA ( cert, 0, uri->data, uri->len );
638 
639  return 0;
640 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
#define DBGC(...)
Definition: compiler.h:505
X.509 certificate OCSP responder.
Definition: x509.h:129
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define DBGC_HDA(...)
Definition: compiler.h:506
struct x509_authority_info_access auth_info
Authority information access.
Definition: x509.h:164
struct asn1_cursor uri
URI.
Definition: x509.h:131
#define DBGC2_HDA(...)
Definition: compiler.h:523
#define DBGC2(...)
Definition: compiler.h:522
__be32 raw[7]
Definition: CIB_PRM.h:28
A Uniform Resource Identifier.
Definition: uri.h:64
struct x509_ocsp_responder ocsp
OCSP responder.
Definition: x509.h:139
An ASN.1 object cursor.
Definition: asn1.h:20
struct x509_extensions extensions
Extensions.
Definition: x509.h:248

References asn1_enter(), x509_extensions::auth_info, DBGC, DBGC2, DBGC2_HDA, DBGC_HDA, x509_certificate::extensions, memcpy(), x509_authority_info_access::ocsp, raw, rc, x509_ocsp_responder::uri, and X509_GENERAL_NAME_URI.

◆ x509_find_access_method()

static struct x509_access_method* x509_find_access_method ( const struct asn1_cursor oid)
static

Identify X.509 access method by OID.

Parameters
oidOID
Return values
methodAccess method, or NULL

Definition at line 661 of file x509.c.

661  {
662  struct x509_access_method *method;
663  unsigned int i;
664 
665  for ( i = 0 ; i < ( sizeof ( x509_access_methods ) /
666  sizeof ( x509_access_methods[0] ) ) ; i++ ) {
668  if ( asn1_compare ( &method->oid, oid ) == 0 )
669  return method;
670  }
671 
672  return NULL;
673 }
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:480
uint8_t method
Definition: ib_mad.h:14
static struct x509_access_method x509_access_methods[]
Supported access methods.
Definition: x509.c:646
struct asn1_cursor oid
Object identifier.
Definition: x509.h:362
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
An X.509 access method.
Definition: x509.h:358

References asn1_compare(), method, NULL, x509_access_method::oid, and x509_access_methods.

Referenced by x509_parse_access_description().

◆ x509_parse_access_description()

static int x509_parse_access_description ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate access description.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 682 of file x509.c.

683  {
684  struct asn1_cursor cursor;
685  struct asn1_cursor subcursor;
686  struct x509_access_method *method;
687  int rc;
688 
689  /* Enter keyPurposeId */
690  memcpy ( &cursor, raw, sizeof ( cursor ) );
691  asn1_enter ( &cursor, ASN1_SEQUENCE );
692 
693  /* Try to identify access method */
694  memcpy ( &subcursor, &cursor, sizeof ( subcursor ) );
695  asn1_enter ( &subcursor, ASN1_OID );
696  method = x509_find_access_method ( &subcursor );
697  asn1_skip_any ( &cursor );
698  DBGC2 ( cert, "X509 %p found access method %s\n",
699  cert, ( method ? method->name : "<unknown>" ) );
700 
701  /* Parse access location, if applicable */
702  if ( method && ( ( rc = method->parse ( cert, &cursor ) ) != 0 ) )
703  return rc;
704 
705  return 0;
706 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
uint8_t method
Definition: ib_mad.h:14
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
#define ASN1_OID
ASN.1 object identifier.
Definition: asn1.h:74
#define DBGC2(...)
Definition: compiler.h:522
__be32 raw[7]
Definition: CIB_PRM.h:28
An ASN.1 object cursor.
Definition: asn1.h:20
static struct x509_access_method * x509_find_access_method(const struct asn1_cursor *oid)
Identify X.509 access method by OID.
Definition: x509.c:661
An X.509 access method.
Definition: x509.h:358

References asn1_enter(), ASN1_OID, ASN1_SEQUENCE, asn1_skip_any(), DBGC2, memcpy(), method, raw, rc, and x509_find_access_method().

Referenced by x509_parse_authority_info_access().

◆ x509_parse_authority_info_access()

static int x509_parse_authority_info_access ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate authority information access.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 715 of file x509.c.

716  {
717  struct asn1_cursor cursor;
718  int rc;
719 
720  /* Enter authorityInfoAccess */
721  memcpy ( &cursor, raw, sizeof ( cursor ) );
722  asn1_enter ( &cursor, ASN1_SEQUENCE );
723 
724  /* Parse each access description in turn */
725  while ( cursor.len ) {
726  if ( ( rc = x509_parse_access_description ( cert,
727  &cursor ) ) != 0 )
728  return rc;
729  asn1_skip_any ( &cursor );
730  }
731 
732  return 0;
733 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
__be32 raw[7]
Definition: CIB_PRM.h:28
static int x509_parse_access_description(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate access description.
Definition: x509.c:682
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_access_description().

◆ x509_parse_subject_alt_name()

static int x509_parse_subject_alt_name ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate subject alternative name.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 742 of file x509.c.

743  {
744  struct x509_subject_alt_name *alt_name = &cert->extensions.alt_name;
745  struct asn1_cursor *names = &alt_name->names;
746  int rc;
747 
748  /* Enter subjectAltName */
749  memcpy ( names, raw, sizeof ( *names ) );
750  if ( ( rc = asn1_enter ( names, ASN1_SEQUENCE ) ) != 0 ) {
751  DBGC ( cert, "X509 %p invalid subjectAltName: %s\n",
752  cert, strerror ( rc ) );
753  DBGC_HDA ( cert, 0, raw->data, raw->len );
754  return rc;
755  }
756  DBGC2 ( cert, "X509 %p has subjectAltName:\n", cert );
757  DBGC2_HDA ( cert, 0, names->data, names->len );
758 
759  return 0;
760 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct asn1_cursor names
Names.
Definition: x509.h:145
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
const void * data
Start of data.
Definition: asn1.h:22
#define DBGC(...)
Definition: compiler.h:505
size_t len
Length of data.
Definition: asn1.h:24
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define DBGC_HDA(...)
Definition: compiler.h:506
#define DBGC2_HDA(...)
Definition: compiler.h:523
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
struct x509_subject_alt_name alt_name
Subject alternative name.
Definition: x509.h:166
#define DBGC2(...)
Definition: compiler.h:522
X.509 certificate subject alternative name.
Definition: x509.h:143
__be32 raw[7]
Definition: CIB_PRM.h:28
An ASN.1 object cursor.
Definition: asn1.h:20
struct x509_extensions extensions
Extensions.
Definition: x509.h:248

References x509_extensions::alt_name, asn1_enter(), ASN1_SEQUENCE, asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, DBGC_HDA, x509_certificate::extensions, asn1_cursor::len, memcpy(), x509_subject_alt_name::names, raw, rc, and strerror().

◆ x509_find_extension()

static struct x509_extension* x509_find_extension ( const struct asn1_cursor oid)
static

Identify X.509 extension by OID.

Parameters
oidOID
Return values
extensionExtension, or NULL

Definition at line 818 of file x509.c.

818  {
819  struct x509_extension *extension;
820  unsigned int i;
821 
822  for ( i = 0 ; i < ( sizeof ( x509_extensions ) /
823  sizeof ( x509_extensions[0] ) ) ; i++ ) {
824  extension = &x509_extensions[i];
825  if ( asn1_compare ( &extension->oid, oid ) == 0 )
826  return extension;
827  }
828 
829  return NULL;
830 }
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:480
struct asn1_cursor oid
Object identifier.
Definition: x509.h:336
static struct x509_extension x509_extensions[]
Supported certificate extensions.
Definition: x509.c:783
An X.509 certificate extensions set.
Definition: x509.h:156
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
An X.509 extension.
Definition: x509.h:332

References asn1_compare(), NULL, x509_extension::oid, and x509_extensions.

Referenced by x509_parse_extension().

◆ x509_parse_extension()

static int x509_parse_extension ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate extension.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 839 of file x509.c.

840  {
841  struct asn1_cursor cursor;
842  struct asn1_cursor subcursor;
843  struct x509_extension *extension;
844  int is_critical = 0;
845  int rc;
846 
847  /* Enter extension */
848  memcpy ( &cursor, raw, sizeof ( cursor ) );
849  asn1_enter ( &cursor, ASN1_SEQUENCE );
850 
851  /* Try to identify extension */
852  memcpy ( &subcursor, &cursor, sizeof ( subcursor ) );
853  asn1_enter ( &subcursor, ASN1_OID );
854  extension = x509_find_extension ( &subcursor );
855  asn1_skip_any ( &cursor );
856  DBGC2 ( cert, "X509 %p found extension %s\n",
857  cert, ( extension ? extension->name : "<unknown>" ) );
858 
859  /* Identify criticality */
860  if ( asn1_type ( &cursor ) == ASN1_BOOLEAN ) {
861  is_critical = asn1_boolean ( &cursor );
862  if ( is_critical < 0 ) {
863  rc = is_critical;
864  DBGC ( cert, "X509 %p cannot parse extension "
865  "criticality: %s\n", cert, strerror ( rc ) );
866  DBGC_HDA ( cert, 0, raw->data, raw->len );
867  return rc;
868  }
869  asn1_skip_any ( &cursor );
870  }
871 
872  /* Handle unknown extensions */
873  if ( ! extension ) {
874  if ( is_critical ) {
875  /* Fail if we cannot handle a critical extension */
876  DBGC ( cert, "X509 %p cannot handle critical "
877  "extension:\n", cert );
878  DBGC_HDA ( cert, 0, raw->data, raw->len );
879  return -ENOTSUP_EXTENSION;
880  } else {
881  /* Ignore unknown non-critical extensions */
882  return 0;
883  }
884  };
885 
886  /* Extract extnValue */
887  if ( ( rc = asn1_enter ( &cursor, ASN1_OCTET_STRING ) ) != 0 ) {
888  DBGC ( cert, "X509 %p extension missing extnValue:\n", cert );
889  DBGC_HDA ( cert, 0, raw->data, raw->len );
890  return rc;
891  }
892 
893  /* Parse extension */
894  if ( ( rc = extension->parse ( cert, &cursor ) ) != 0 )
895  return rc;
896 
897  return 0;
898 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
#define ASN1_BOOLEAN
ASN.1 boolean.
Definition: asn1.h:59
#define DBGC(...)
Definition: compiler.h:505
static unsigned int asn1_type(const struct asn1_cursor *cursor)
Extract ASN.1 type.
Definition: asn1.h:446
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
void * memcpy(void *dest, const void *src, size_t len) __nonnull
int asn1_boolean(const struct asn1_cursor *cursor)
Parse value of ASN.1 boolean.
Definition: asn1.c:333
#define DBGC_HDA(...)
Definition: compiler.h:506
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
const char * name
Name.
Definition: x509.h:334
#define ASN1_OID
ASN.1 object identifier.
Definition: asn1.h:74
#define DBGC2(...)
Definition: compiler.h:522
#define ENOTSUP_EXTENSION
Definition: x509.c:62
__be32 raw[7]
Definition: CIB_PRM.h:28
static struct x509_extension * x509_find_extension(const struct asn1_cursor *oid)
Identify X.509 extension by OID.
Definition: x509.c:818
#define ASN1_OCTET_STRING
ASN.1 octet string.
Definition: asn1.h:68
int(* parse)(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse extension.
Definition: x509.h:343
An ASN.1 object cursor.
Definition: asn1.h:20
An X.509 extension.
Definition: x509.h:332

References ASN1_BOOLEAN, asn1_boolean(), asn1_enter(), ASN1_OCTET_STRING, ASN1_OID, ASN1_SEQUENCE, asn1_skip_any(), asn1_type(), DBGC, DBGC2, DBGC_HDA, ENOTSUP_EXTENSION, memcpy(), x509_extension::name, x509_extension::parse, raw, rc, strerror(), and x509_find_extension().

Referenced by x509_parse_extensions().

◆ x509_parse_extensions()

static int x509_parse_extensions ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate extensions, if present.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 907 of file x509.c.

908  {
909  struct asn1_cursor cursor;
910  int rc;
911 
912  /* Enter extensions, if present */
913  memcpy ( &cursor, raw, sizeof ( cursor ) );
914  asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 3 ) );
915  asn1_enter ( &cursor, ASN1_SEQUENCE );
916 
917  /* Parse each extension in turn */
918  while ( cursor.len ) {
919  if ( ( rc = x509_parse_extension ( cert, &cursor ) ) != 0 )
920  return rc;
921  asn1_skip_any ( &cursor );
922  }
923 
924  return 0;
925 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
void * memcpy(void *dest, const void *src, size_t len) __nonnull
static int x509_parse_extension(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extension.
Definition: x509.c:839
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
__be32 raw[7]
Definition: CIB_PRM.h:28
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
Definition: asn1.h:98
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_extension().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_tbscertificate()

static int x509_parse_tbscertificate ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate tbsCertificate.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 934 of file x509.c.

935  {
936  struct asn1_algorithm **algorithm = &cert->signature_algorithm;
937  struct asn1_cursor cursor;
938  int rc;
939 
940  /* Record raw tbsCertificate */
941  memcpy ( &cursor, raw, sizeof ( cursor ) );
942  asn1_shrink_any ( &cursor );
943  memcpy ( &cert->tbs, &cursor, sizeof ( cert->tbs ) );
944 
945  /* Enter tbsCertificate */
946  asn1_enter ( &cursor, ASN1_SEQUENCE );
947 
948  /* Parse version, if present */
949  if ( asn1_type ( &cursor ) == ASN1_EXPLICIT_TAG ( 0 ) ) {
950  if ( ( rc = x509_parse_version ( cert, &cursor ) ) != 0 )
951  return rc;
952  asn1_skip_any ( &cursor );
953  }
954 
955  /* Parse serialNumber */
956  if ( ( rc = x509_parse_serial ( cert, &cursor ) ) != 0 )
957  return rc;
958  asn1_skip_any ( &cursor );
959 
960  /* Parse signature */
961  if ( ( rc = asn1_signature_algorithm ( &cursor, algorithm ) ) != 0 ) {
962  DBGC ( cert, "X509 %p could not parse signature algorithm: "
963  "%s\n", cert, strerror ( rc ) );
964  return rc;
965  }
966  DBGC2 ( cert, "X509 %p tbsCertificate signature algorithm is %s\n",
967  cert, (*algorithm)->name );
968  asn1_skip_any ( &cursor );
969 
970  /* Parse issuer */
971  if ( ( rc = x509_parse_issuer ( cert, &cursor ) ) != 0 )
972  return rc;
973  asn1_skip_any ( &cursor );
974 
975  /* Parse validity */
976  if ( ( rc = x509_parse_validity ( cert, &cursor ) ) != 0 )
977  return rc;
978  asn1_skip_any ( &cursor );
979 
980  /* Parse subject */
981  if ( ( rc = x509_parse_subject ( cert, &cursor ) ) != 0 )
982  return rc;
983  asn1_skip_any ( &cursor );
984 
985  /* Parse subjectPublicKeyInfo */
986  if ( ( rc = x509_parse_public_key ( cert, &cursor ) ) != 0 )
987  return rc;
988  asn1_skip_any ( &cursor );
989 
990  /* Parse extensions, if present */
991  if ( ( rc = x509_parse_extensions ( cert, &cursor ) ) != 0 )
992  return rc;
993 
994  return 0;
995 }
An ASN.1 OID-identified algorithm.
Definition: asn1.h:366
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition: x509.h:238
#define DBGC(...)
Definition: compiler.h:505
static int x509_parse_issuer(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate issuer.
Definition: x509.c:248
static unsigned int asn1_type(const struct asn1_cursor *cursor)
Extract ASN.1 type.
Definition: asn1.h:446
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
int asn1_signature_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified signature algorithm.
Definition: asn1.c:646
static int x509_parse_serial(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate serial number.
Definition: x509.c:223
void * memcpy(void *dest, const void *src, size_t len) __nonnull
static int x509_parse_version(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate version.
Definition: x509.c:183
static int x509_parse_validity(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate validity.
Definition: x509.c:273
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition: asn1.c:323
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
u16 algorithm
Authentication algorithm (Open System or Shared Key)
Definition: ieee80211.h:1030
static int x509_parse_subject(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate subject.
Definition: x509.c:364
#define DBGC2(...)
Definition: compiler.h:522
struct asn1_cursor tbs
Raw tbsCertificate.
Definition: x509.h:236
__be32 raw[7]
Definition: CIB_PRM.h:28
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
Definition: asn1.h:98
static int x509_parse_extensions(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extensions, if present.
Definition: x509.c:907
An ASN.1 object cursor.
Definition: asn1.h:20
static int x509_parse_public_key(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate public key information.
Definition: x509.c:391

References algorithm, asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_SEQUENCE, asn1_shrink_any(), asn1_signature_algorithm(), asn1_skip_any(), asn1_type(), DBGC, DBGC2, memcpy(), raw, rc, x509_certificate::signature_algorithm, strerror(), x509_certificate::tbs, x509_parse_extensions(), x509_parse_issuer(), x509_parse_public_key(), x509_parse_serial(), x509_parse_subject(), x509_parse_validity(), and x509_parse_version().

Referenced by x509_parse().

◆ x509_parse()

int x509_parse ( struct x509_certificate cert,
const struct asn1_cursor raw 
)

Parse X.509 certificate from ASN.1 data.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 1004 of file x509.c.

1005  {
1006  struct x509_signature *signature = &cert->signature;
1007  struct asn1_algorithm **signature_algorithm = &signature->algorithm;
1008  struct asn1_bit_string *signature_value = &signature->value;
1009  struct asn1_cursor cursor;
1010  int rc;
1011 
1012  /* Record raw certificate */
1013  memcpy ( &cursor, raw, sizeof ( cursor ) );
1014  memcpy ( &cert->raw, &cursor, sizeof ( cert->raw ) );
1015 
1016  /* Enter certificate */
1017  asn1_enter ( &cursor, ASN1_SEQUENCE );
1018 
1019  /* Parse tbsCertificate */
1020  if ( ( rc = x509_parse_tbscertificate ( cert, &cursor ) ) != 0 )
1021  return rc;
1022  asn1_skip_any ( &cursor );
1023 
1024  /* Parse signatureAlgorithm */
1025  if ( ( rc = asn1_signature_algorithm ( &cursor,
1026  signature_algorithm ) ) != 0 ) {
1027  DBGC ( cert, "X509 %p could not parse signature algorithm: "
1028  "%s\n", cert, strerror ( rc ) );
1029  return rc;
1030  }
1031  DBGC2 ( cert, "X509 %p signatureAlgorithm is %s\n",
1032  cert, (*signature_algorithm)->name );
1033  asn1_skip_any ( &cursor );
1034 
1035  /* Parse signatureValue */
1036  if ( ( rc = asn1_integral_bit_string ( &cursor,
1037  signature_value ) ) != 0 ) {
1038  DBGC ( cert, "X509 %p could not parse signature value: %s\n",
1039  cert, strerror ( rc ) );
1040  return rc;
1041  }
1042  DBGC2 ( cert, "X509 %p signatureValue is:\n", cert );
1043  DBGC2_HDA ( cert, 0, signature_value->data, signature_value->len );
1044 
1045  /* Check that algorithm in tbsCertificate matches algorithm in
1046  * signature
1047  */
1048  if ( signature->algorithm != (*signature_algorithm) ) {
1049  DBGC ( cert, "X509 %p signature algorithm %s does not match "
1050  "signatureAlgorithm %s\n",
1051  cert, signature->algorithm->name,
1052  (*signature_algorithm)->name );
1053  return -EINVAL_ALGORITHM_MISMATCH;
1054  }
1055 
1056  return 0;
1057 }
const void * data
Data.
Definition: asn1.h:422
An ASN.1 OID-identified algorithm.
Definition: asn1.h:366
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:205
#define DBGC(...)
Definition: compiler.h:505
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
int asn1_signature_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified signature algorithm.
Definition: asn1.c:646
void * memcpy(void *dest, const void *src, size_t len) __nonnull
struct x509_signature signature
Signature.
Definition: x509.h:246
#define DBGC2_HDA(...)
Definition: compiler.h:523
int asn1_integral_bit_string(const struct asn1_cursor *cursor, struct asn1_bit_string *bits)
Parse ASN.1 bit string that must be an integral number of bytes.
Definition: asn1.c:451
static int x509_parse_tbscertificate(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate tbsCertificate.
Definition: x509.c:934
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
size_t len
Length.
Definition: asn1.h:424
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
#define DBGC2(...)
Definition: compiler.h:522
#define EINVAL_ALGORITHM_MISMATCH
Definition: x509.c:70
__be32 raw[7]
Definition: CIB_PRM.h:28
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:230
u8 signature
CPU signature.
Definition: CIB_PRM.h:35
An ASN.1 object cursor.
Definition: asn1.h:20
An ASN.1 bit string.
Definition: asn1.h:420
An X.509 certificate signature.
Definition: x509.h:69

References asn1_enter(), asn1_integral_bit_string(), ASN1_SEQUENCE, asn1_signature_algorithm(), asn1_skip_any(), asn1_bit_string::data, DBGC, DBGC2, DBGC2_HDA, EINVAL_ALGORITHM_MISMATCH, asn1_bit_string::len, memcpy(), raw, x509_certificate::raw, rc, signature, x509_certificate::signature, strerror(), and x509_parse_tbscertificate().

Referenced by certstore_init(), and x509_certificate().

◆ x509_certificate()

int x509_certificate ( const void *  data,
size_t  len,
struct x509_certificate **  cert 
)

Create X.509 certificate.

Parameters
dataRaw certificate data
lenLength of raw data
Return values
certX.509 certificate
rcReturn status code

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1070 of file x509.c.

1071  {
1072  struct asn1_cursor cursor;
1073  void *raw;
1074  int rc;
1075 
1076  /* Initialise cursor */
1077  cursor.data = data;
1078  cursor.len = len;
1079  asn1_shrink_any ( &cursor );
1080 
1081  /* Return stored certificate, if present */
1082  if ( ( *cert = x509_find ( NULL, &cursor ) ) != NULL ) {
1083 
1084  /* Add caller's reference */
1085  x509_get ( *cert );
1086  return 0;
1087  }
1088 
1089  /* Allocate and initialise certificate */
1090  *cert = zalloc ( sizeof ( **cert ) + cursor.len );
1091  if ( ! *cert )
1092  return -ENOMEM;
1093  ref_init ( &(*cert)->refcnt, x509_free );
1094  raw = ( *cert + 1 );
1095 
1096  /* Copy raw data */
1097  memcpy ( raw, cursor.data, cursor.len );
1098  cursor.data = raw;
1099 
1100  /* Parse certificate */
1101  if ( ( rc = x509_parse ( *cert, &cursor ) ) != 0 ) {
1102  x509_put ( *cert );
1103  *cert = NULL;
1104  return rc;
1105  }
1106 
1107  /* Add certificate to store */
1108  certstore_add ( *cert );
1109 
1110  return 0;
1111 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:266
static void x509_free(struct refcnt *refcnt)
Free X.509 certificate.
Definition: x509.c:132
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
void certstore_add(struct x509_certificate *cert)
Add certificate to store.
Definition: certstore.c:100
#define ENOMEM
Not enough space.
Definition: errno.h:534
void * memcpy(void *dest, const void *src, size_t len) __nonnull
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
struct x509_certificate * x509_find(struct x509_chain *store, const struct asn1_cursor *raw)
Identify X.509 certificate by raw certificate data.
Definition: x509.c:1732
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition: asn1.c:323
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:277
uint8_t data[48]
Additional event data.
Definition: ena.h:22
__be32 raw[7]
Definition: CIB_PRM.h:28
struct arbelprm_wqe_segment_data_ptr data[ARBEL_MAX_GATHER]
Definition: arbel.h:237
uint32_t len
Length.
Definition: ena.h:14
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
An ASN.1 object cursor.
Definition: asn1.h:20
int x509_parse(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate from ASN.1 data.
Definition: x509.c:1004

References asn1_shrink_any(), certstore_add(), data, asn1_cursor::data, ENOMEM, len, asn1_cursor::len, memcpy(), NULL, raw, rc, ref_init, x509_find(), x509_free(), x509_get(), x509_parse(), x509_put(), and zalloc().

◆ x509_check_signature()

static int x509_check_signature ( struct x509_certificate cert,
struct x509_public_key public_key 
)
static

Check X.509 certificate signature.

Parameters
certX.509 certificate
public_keyX.509 public key
Return values
rcReturn status code

Definition at line 1120 of file x509.c.

1121  {
1122  struct x509_signature *signature = &cert->signature;
1123  struct asn1_algorithm *algorithm = signature->algorithm;
1124  struct digest_algorithm *digest = algorithm->digest;
1125  struct pubkey_algorithm *pubkey = algorithm->pubkey;
1126  uint8_t digest_ctx[ digest->ctxsize ];
1127  uint8_t digest_out[ digest->digestsize ];
1128  int rc;
1129 
1130  /* Sanity check */
1131  assert ( cert->signature_algorithm == cert->signature.algorithm );
1132 
1133  /* Calculate certificate digest */
1134  digest_init ( digest, digest_ctx );
1135  digest_update ( digest, digest_ctx, cert->tbs.data, cert->tbs.len );
1136  digest_final ( digest, digest_ctx, digest_out );
1137  DBGC2 ( cert, "X509 %p \"%s\" digest:\n", cert, x509_name ( cert ) );
1138  DBGC2_HDA ( cert, 0, digest_out, sizeof ( digest_out ) );
1139 
1140  /* Check that signature public key algorithm matches signer */
1141  if ( public_key->algorithm->pubkey != pubkey ) {
1142  DBGC ( cert, "X509 %p \"%s\" signature algorithm %s does not "
1143  "match signer's algorithm %s\n",
1144  cert, x509_name ( cert ), algorithm->name,
1145  public_key->algorithm->name );
1147  goto err_mismatch;
1148  }
1149 
1150  /* Verify signature using signer's public key */
1151  if ( ( rc = pubkey_verify ( pubkey, &public_key->raw, digest,
1152  digest_out, signature->value.data,
1153  signature->value.len ) ) != 0 ) {
1154  DBGC ( cert, "X509 %p \"%s\" signature verification failed: "
1155  "%s\n", cert, x509_name ( cert ), strerror ( rc ) );
1156  goto err_pubkey_verify;
1157  }
1158 
1159  /* Success */
1160  rc = 0;
1161 
1162  err_pubkey_verify:
1163  err_mismatch:
1164  return rc;
1165 }
An ASN.1 OID-identified algorithm.
Definition: asn1.h:366
struct asn1_cursor raw
Raw public key information.
Definition: x509.h:51
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Definition: crypto.h:206
static int pubkey_verify(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, struct digest_algorithm *digest, const void *value, const void *signature, size_t signature_len)
Definition: crypto.h:294
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
Definition: crypto.h:212
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition: x509.h:238
const void * data
Start of data.
Definition: asn1.h:22
#define DBGC(...)
Definition: compiler.h:505
struct asn1_algorithm * algorithm
Signature algorithm.
Definition: x509.h:71
size_t len
Length of data.
Definition: asn1.h:24
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition: asn1.h:372
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
struct x509_signature signature
Signature.
Definition: x509.h:246
#define DBGC2_HDA(...)
Definition: compiler.h:523
static void digest_init(struct digest_algorithm *digest, void *ctx)
Definition: crypto.h:201
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
struct asn1_algorithm * algorithm
Public key algorithm.
Definition: x509.h:53
unsigned char uint8_t
Definition: stdint.h:10
u16 algorithm
Authentication algorithm (Open System or Shared Key)
Definition: ieee80211.h:1030
const char * name
Name.
Definition: asn1.h:368
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
size_t ctxsize
Context size.
Definition: crypto.h:22
#define DBGC2(...)
Definition: compiler.h:522
size_t digestsize
Digest size.
Definition: crypto.h:26
struct asn1_cursor tbs
Raw tbsCertificate.
Definition: x509.h:236
A message digest algorithm.
Definition: crypto.h:18
#define EINVAL_ALGORITHM_MISMATCH
Definition: x509.c:70
u8 signature
CPU signature.
Definition: CIB_PRM.h:35
A public key algorithm.
Definition: crypto.h:121
An X.509 certificate signature.
Definition: x509.h:69

References x509_public_key::algorithm, x509_signature::algorithm, algorithm, assert(), digest_algorithm::ctxsize, asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, digest_final(), digest_init(), digest_update(), digest_algorithm::digestsize, EINVAL_ALGORITHM_MISMATCH, asn1_cursor::len, asn1_algorithm::name, asn1_algorithm::pubkey, pubkey_verify(), x509_public_key::raw, rc, signature, x509_certificate::signature, x509_certificate::signature_algorithm, strerror(), x509_certificate::tbs, and x509_name().

Referenced by x509_check_issuer().

◆ x509_check_issuer()

int x509_check_issuer ( struct x509_certificate cert,
struct x509_certificate issuer 
)

Check X.509 certificate against issuer certificate.

Parameters
certX.509 certificate
issuerX.509 issuer certificate
Return values
rcReturn status code

Definition at line 1174 of file x509.c.

1175  {
1176  struct x509_public_key *public_key = &issuer->subject.public_key;
1177  int rc;
1178 
1179  /* Check issuer. In theory, this should be a full X.500 DN
1180  * comparison, which would require support for a plethora of
1181  * abominations such as TeletexString (which allows the
1182  * character set to be changed mid-string using escape codes).
1183  * In practice, we assume that anyone who deliberately changes
1184  * the encoding of the issuer DN is probably a masochist who
1185  * will rather enjoy the process of figuring out exactly why
1186  * their certificate doesn't work.
1187  *
1188  * See http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
1189  * for some enjoyable ranting on this subject.
1190  */
1191  if ( asn1_compare ( &cert->issuer.raw, &issuer->subject.raw ) != 0 ) {
1192  DBGC ( cert, "X509 %p \"%s\" issuer does not match ",
1193  cert, x509_name ( cert ) );
1194  DBGC ( cert, "X509 %p \"%s\" subject\n",
1195  issuer, x509_name ( issuer ) );
1196  DBGC_HDA ( cert, 0, cert->issuer.raw.data,
1197  cert->issuer.raw.len );
1198  DBGC_HDA ( issuer, 0, issuer->subject.raw.data,
1199  issuer->subject.raw.len );
1200  return -EACCES_WRONG_ISSUER;
1201  }
1202 
1203  /* Check that issuer is allowed to sign certificates */
1204  if ( ! issuer->extensions.basic.ca ) {
1205  DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1206  issuer, x509_name ( issuer ) );
1207  DBGC ( issuer, "X509 %p \"%s\": not a CA certificate\n",
1208  cert, x509_name ( cert ) );
1209  return -EACCES_NOT_CA;
1210  }
1211  if ( issuer->extensions.usage.present &&
1212  ( ! ( issuer->extensions.usage.bits & X509_KEY_CERT_SIGN ) ) ) {
1213  DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1214  issuer, x509_name ( issuer ) );
1215  DBGC ( issuer, "X509 %p \"%s\": no keyCertSign usage\n",
1216  cert, x509_name ( cert ) );
1217  return -EACCES_KEY_USAGE;
1218  }
1219 
1220  /* Check signature */
1221  if ( ( rc = x509_check_signature ( cert, public_key ) ) != 0 )
1222  return rc;
1223 
1224  return 0;
1225 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct asn1_cursor raw
Raw issuer.
Definition: x509.h:31
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:480
struct x509_issuer issuer
Issuer.
Definition: x509.h:240
const void * data
Start of data.
Definition: asn1.h:22
#define DBGC(...)
Definition: compiler.h:505
int present
Key usage extension is present.
Definition: x509.h:94
size_t len
Length of data.
Definition: asn1.h:24
#define EACCES_KEY_USAGE
Definition: x509.c:90
#define DBGC_HDA(...)
Definition: compiler.h:506
An X.509 certificate public key.
Definition: x509.h:49
struct x509_public_key public_key
Public key information.
Definition: x509.h:65
struct x509_subject subject
Subject.
Definition: x509.h:244
int ca
Subject is a CA.
Definition: x509.h:79
#define EACCES_NOT_CA
Definition: x509.c:86
struct asn1_cursor raw
Raw subject.
Definition: x509.h:61
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
static int x509_check_signature(struct x509_certificate *cert, struct x509_public_key *public_key)
Check X.509 certificate signature.
Definition: x509.c:1120
unsigned int bits
Usage bits.
Definition: x509.h:96
struct x509_key_usage usage
Key usage.
Definition: x509.h:160
#define EACCES_WRONG_ISSUER
Definition: x509.c:82
struct x509_basic_constraints basic
Basic constraints.
Definition: x509.h:158
struct x509_extensions extensions
Extensions.
Definition: x509.h:248

References asn1_compare(), x509_extensions::basic, x509_key_usage::bits, x509_basic_constraints::ca, asn1_cursor::data, DBGC, DBGC_HDA, EACCES_KEY_USAGE, EACCES_NOT_CA, EACCES_WRONG_ISSUER, x509_certificate::extensions, x509_certificate::issuer, asn1_cursor::len, x509_key_usage::present, x509_subject::public_key, x509_subject::raw, x509_issuer::raw, rc, x509_certificate::subject, x509_extensions::usage, x509_check_signature(), X509_KEY_CERT_SIGN, and x509_name().

Referenced by x509_check_issuer_fail_okx(), x509_check_issuer_okx(), and x509_validate().

◆ x509_fingerprint()

void x509_fingerprint ( struct x509_certificate cert,
struct digest_algorithm digest,
void *  fingerprint 
)

Calculate X.509 certificate fingerprint.

Parameters
certX.509 certificate
digestDigest algorithm
fingerprintFingerprint buffer

Definition at line 1234 of file x509.c.

1236  {
1237  uint8_t ctx[ digest->ctxsize ];
1238 
1239  /* Calculate fingerprint */
1240  digest_init ( digest, ctx );
1241  digest_update ( digest, ctx, cert->raw.data, cert->raw.len );
1242  digest_final ( digest, ctx, fingerprint );
1243 }
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Definition: crypto.h:206
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
Definition: crypto.h:212
const void * data
Start of data.
Definition: asn1.h:22
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
size_t len
Length of data.
Definition: asn1.h:24
static void digest_init(struct digest_algorithm *digest, void *ctx)
Definition: crypto.h:201
unsigned char uint8_t
Definition: stdint.h:10
size_t ctxsize
Context size.
Definition: crypto.h:22
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:230

References ctx, digest_algorithm::ctxsize, asn1_cursor::data, digest_final(), digest_init(), digest_update(), asn1_cursor::len, and x509_certificate::raw.

Referenced by certstat(), icert_certs(), x509_check_root(), x509_fingerprint_okx(), and x509_name().

◆ x509_check_root()

int x509_check_root ( struct x509_certificate cert,
struct x509_root root 
)

Check X.509 root certificate.

Parameters
certX.509 certificate
rootX.509 root certificate list
Return values
rcReturn status code

Definition at line 1252 of file x509.c.

1252  {
1253  struct digest_algorithm *digest = root->digest;
1254  uint8_t fingerprint[ digest->digestsize ];
1255  const uint8_t *root_fingerprint = root->fingerprints;
1256  unsigned int i;
1257 
1258  /* Calculate certificate fingerprint */
1259  x509_fingerprint ( cert, digest, fingerprint );
1260 
1261  /* Check fingerprint against all root certificates */
1262  for ( i = 0 ; i < root->count ; i++ ) {
1263  if ( memcmp ( fingerprint, root_fingerprint,
1264  sizeof ( fingerprint ) ) == 0 ) {
1265  DBGC ( cert, "X509 %p \"%s\" is a root certificate\n",
1266  cert, x509_name ( cert ) );
1267  return 0;
1268  }
1269  root_fingerprint += sizeof ( fingerprint );
1270  }
1271 
1272  DBGC2 ( cert, "X509 %p \"%s\" is not a root certificate\n",
1273  cert, x509_name ( cert ) );
1274  return -ENOENT;
1275 }
struct stp_switch root
Root switch.
Definition: stp.h:26
#define DBGC(...)
Definition: compiler.h:505
#define ENOENT
No such file or directory.
Definition: errno.h:514
unsigned char uint8_t
Definition: stdint.h:10
void x509_fingerprint(struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
Calculate X.509 certificate fingerprint.
Definition: x509.c:1234
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
#define DBGC2(...)
Definition: compiler.h:522
size_t digestsize
Digest size.
Definition: crypto.h:26
A message digest algorithm.
Definition: crypto.h:18
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114

References DBGC, DBGC2, digest_algorithm::digestsize, ENOENT, memcmp(), root, x509_fingerprint(), and x509_name().

Referenced by x509_check_root_fail_okx(), x509_check_root_okx(), and x509_validate().

◆ x509_check_time()

int x509_check_time ( struct x509_certificate cert,
time_t  time 
)

Check X.509 certificate validity period.

Parameters
certX.509 certificate
timeTime at which to check certificate
Return values
rcReturn status code

Definition at line 1284 of file x509.c.

1284  {
1285  struct x509_validity *validity = &cert->validity;
1286 
1287  /* Check validity period */
1288  if ( validity->not_before.time > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
1289  DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
1290  cert, x509_name ( cert ), time );
1291  return -EACCES_EXPIRED;
1292  }
1293  if ( validity->not_after.time < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
1294  DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
1295  cert, x509_name ( cert ), time );
1296  return -EACCES_EXPIRED;
1297  }
1298 
1299  DBGC2 ( cert, "X509 %p \"%s\" is valid (at time %lld)\n",
1300  cert, x509_name ( cert ), time );
1301  return 0;
1302 }
#define DBGC(...)
Definition: compiler.h:505
time_t time
Seconds since the Epoch.
Definition: x509.h:37
struct x509_time not_before
Not valid before.
Definition: x509.h:43
#define EACCES_EXPIRED
Definition: x509.c:94
An X.509 certificate validity period.
Definition: x509.h:41
struct x509_validity validity
Validity.
Definition: x509.h:242
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
#define TIMESTAMP_ERROR_MARGIN
Margin of error (in seconds) allowed in signed timestamps.
Definition: crypto.h:69
#define DBGC2(...)
Definition: compiler.h:522
struct x509_time not_after
Not valid after.
Definition: x509.h:45

References DBGC, DBGC2, EACCES_EXPIRED, x509_validity::not_after, x509_validity::not_before, x509_time::time, TIMESTAMP_ERROR_MARGIN, x509_certificate::validity, and x509_name().

Referenced by x509_check_time_fail_okx(), x509_check_time_okx(), and x509_validate().

◆ x509_is_valid()

int x509_is_valid ( struct x509_certificate cert,
struct x509_root root 
)

Check if X.509 certificate is valid.

Parameters
certX.509 certificate
rootRoot certificate list, or NULL to use default

Definition at line 1310 of file x509.c.

1310  {
1311 
1312  /* Use default root certificate store if none specified */
1313  if ( ! root )
1315 
1316  return ( cert->root == root );
1317 }
struct stp_switch root
Root switch.
Definition: stp.h:26
struct x509_root root_certificates
Root certificates.
Definition: rootcert.c:73
struct x509_root * root
Root against which certificate has been validated (if any)
Definition: x509.h:225

References root, x509_certificate::root, and root_certificates.

Referenced by certstat(), ipair_window_changed(), validator_step(), x509_validate(), and x509_validate_chain_okx().

◆ x509_set_valid()

static void x509_set_valid ( struct x509_certificate cert,
struct x509_certificate issuer,
struct x509_root root 
)
static

Set X.509 certificate as validated.

Parameters
certX.509 certificate
issuerIssuing X.509 certificate (or NULL)
rootRoot certificate list

Definition at line 1326 of file x509.c.

1328  {
1329  unsigned int max_path_remaining;
1330 
1331  /* Sanity checks */
1332  assert ( root != NULL );
1333  assert ( ( issuer == NULL ) || ( issuer->path_remaining >= 1 ) );
1334 
1335  /* Record validation root */
1336  x509_root_put ( cert->root );
1337  cert->root = x509_root_get ( root );
1338 
1339  /* Calculate effective path length */
1340  cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
1341  if ( issuer ) {
1342  max_path_remaining = ( issuer->path_remaining - 1 );
1343  if ( cert->path_remaining > max_path_remaining )
1344  cert->path_remaining = max_path_remaining;
1345  }
1346 }
unsigned int path_remaining
Maximum number of subsequent certificates in chain.
Definition: x509.h:227
unsigned int path_len
Path length.
Definition: x509.h:81
struct stp_switch root
Root switch.
Definition: stp.h:26
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition: x509.h:403
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
struct x509_root * root
Root against which certificate has been validated (if any)
Definition: x509.h:225
static struct x509_root * x509_root_get(struct x509_root *root)
Get reference to X.509 root certificate list.
Definition: x509.h:392
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
struct x509_basic_constraints basic
Basic constraints.
Definition: x509.h:158
struct x509_extensions extensions
Extensions.
Definition: x509.h:248

References assert(), x509_extensions::basic, x509_certificate::extensions, NULL, x509_basic_constraints::path_len, x509_certificate::path_remaining, root, x509_certificate::root, x509_root_get(), and x509_root_put().

Referenced by x509_validate().

◆ x509_validate()

int x509_validate ( struct x509_certificate cert,
struct x509_certificate issuer,
time_t  time,
struct x509_root root 
)

Validate X.509 certificate.

Parameters
certX.509 certificate
issuerIssuing X.509 certificate (or NULL)
timeTime at which to validate certificate
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

The issuing certificate must have already been validated.

Validation results are cached: if a certificate has already been successfully validated then issuer, time, and root will be ignored.

Definition at line 1363 of file x509.c.

1365  {
1366  int rc;
1367 
1368  /* Use default root certificate store if none specified */
1369  if ( ! root )
1371 
1372  /* Return success if certificate has already been validated */
1373  if ( x509_is_valid ( cert, root ) )
1374  return 0;
1375 
1376  /* Fail if certificate is invalid at specified time */
1377  if ( ( rc = x509_check_time ( cert, time ) ) != 0 )
1378  return rc;
1379 
1380  /* Succeed if certificate is a trusted root certificate */
1381  if ( x509_check_root ( cert, root ) == 0 ) {
1382  x509_set_valid ( cert, NULL, root );
1383  return 0;
1384  }
1385 
1386  /* Fail unless we have an issuer */
1387  if ( ! issuer ) {
1388  DBGC2 ( cert, "X509 %p \"%s\" has no trusted issuer\n",
1389  cert, x509_name ( cert ) );
1390  return -EACCES_UNTRUSTED;
1391  }
1392 
1393  /* Fail unless issuer has already been validated */
1394  if ( ! x509_is_valid ( issuer, root ) ) {
1395  DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1396  DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
1397  issuer, x509_name ( issuer ) );
1398  return -EACCES_OUT_OF_ORDER;
1399  }
1400 
1401  /* Fail if issuing certificate cannot validate this certificate */
1402  if ( ( rc = x509_check_issuer ( cert, issuer ) ) != 0 )
1403  return rc;
1404 
1405  /* Fail if path length constraint is violated */
1406  if ( issuer->path_remaining == 0 ) {
1407  DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1408  DBGC ( cert, "issuer %p \"%s\" path length exceeded\n",
1409  issuer, x509_name ( issuer ) );
1410  return -EACCES_PATH_LEN;
1411  }
1412 
1413  /* Fail if OCSP is required */
1414  if ( ocsp_required ( cert ) ) {
1415  DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
1416  cert, x509_name ( cert ) );
1417  return -EACCES_OCSP_REQUIRED;
1418  }
1419 
1420  /* Mark certificate as valid */
1421  x509_set_valid ( cert, issuer, root );
1422 
1423  DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
1424  cert, x509_name ( cert ) );
1425  DBGC ( cert, "issuer %p \"%s\"\n", issuer, x509_name ( issuer ) );
1426  return 0;
1427 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
unsigned int path_remaining
Maximum number of subsequent certificates in chain.
Definition: x509.h:227
struct stp_switch root
Root switch.
Definition: stp.h:26
static void x509_set_valid(struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
Set X.509 certificate as validated.
Definition: x509.c:1326
struct x509_root root_certificates
Root certificates.
Definition: rootcert.c:73
#define DBGC(...)
Definition: compiler.h:505
int x509_is_valid(struct x509_certificate *cert, struct x509_root *root)
Check if X.509 certificate is valid.
Definition: x509.c:1310
static int ocsp_required(struct x509_certificate *cert)
Check if X.509 certificate requires an OCSP check.
Definition: ocsp.h:128
#define EACCES_OCSP_REQUIRED
Definition: x509.c:114
#define EACCES_OUT_OF_ORDER
Definition: x509.c:106
#define EACCES_PATH_LEN
Definition: x509.c:98
int x509_check_root(struct x509_certificate *cert, struct x509_root *root)
Check X.509 root certificate.
Definition: x509.c:1252
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
#define DBGC2(...)
Definition: compiler.h:522
int x509_check_issuer(struct x509_certificate *cert, struct x509_certificate *issuer)
Check X.509 certificate against issuer certificate.
Definition: x509.c:1174
#define EACCES_UNTRUSTED
Definition: x509.c:102
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
int x509_check_time(struct x509_certificate *cert, time_t time)
Check X.509 certificate validity period.
Definition: x509.c:1284

References DBGC, DBGC2, EACCES_OCSP_REQUIRED, EACCES_OUT_OF_ORDER, EACCES_PATH_LEN, EACCES_UNTRUSTED, NULL, ocsp_required(), x509_certificate::path_remaining, rc, root, root_certificates, x509_check_issuer(), x509_check_root(), x509_check_time(), x509_is_valid(), x509_name(), and x509_set_valid().

Referenced by ocsp_validate(), and x509_validate_chain().

◆ x509_check_dnsname()

static int x509_check_dnsname ( struct x509_certificate cert,
const struct asn1_cursor raw,
const char *  name 
)
static

Check X.509 certificate alternative dNSName.

Parameters
certX.509 certificate
rawASN.1 cursor
nameName
Return values
rcReturn status code

Definition at line 1437 of file x509.c.

1439  {
1440  const char *fullname = name;
1441  const char *dnsname = raw->data;
1442  size_t len = raw->len;
1443 
1444  /* Check for wildcards */
1445  if ( ( len >= 2 ) && ( dnsname[0] == '*' ) && ( dnsname[1] == '.' ) ) {
1446 
1447  /* Skip initial "*." */
1448  dnsname += 2;
1449  len -= 2;
1450 
1451  /* Skip initial portion of name to be tested */
1452  name = strchr ( name, '.' );
1453  if ( ! name )
1454  return -ENOENT;
1455  name++;
1456  }
1457 
1458  /* Compare names */
1459  if ( ! ( ( strlen ( name ) == len ) &&
1460  ( strncasecmp ( name, dnsname, len ) == 0 ) ) )
1461  return -ENOENT;
1462 
1463  if ( name != fullname ) {
1464  DBGC2 ( cert, "X509 %p \"%s\" found wildcard match for "
1465  "\"*.%s\"\n", cert, x509_name ( cert ), name );
1466  }
1467  return 0;
1468 }
const char * name
Definition: ath9k_hw.c:1984
#define ENOENT
No such file or directory.
Definition: errno.h:514
int strncasecmp(const char *first, const char *second, size_t max)
Compare case-insensitive strings.
Definition: string.c:221
char * strchr(const char *src, int character)
Find character within a string.
Definition: string.c:271
size_t strlen(const char *src)
Get length of string.
Definition: string.c:243
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
#define DBGC2(...)
Definition: compiler.h:522
__be32 raw[7]
Definition: CIB_PRM.h:28
uint32_t len
Length.
Definition: ena.h:14

References DBGC2, ENOENT, len, name, raw, strchr(), strlen(), strncasecmp(), and x509_name().

Referenced by x509_check_alt_name(), and x509_check_name().

◆ x509_check_ipaddress()

static int x509_check_ipaddress ( struct x509_certificate cert,
const struct asn1_cursor raw,
const char *  name 
)
static

Check X.509 certificate alternative iPAddress.

Parameters
certX.509 certificate
rawASN.1 cursor
nameName
Return values
rcReturn status code

Definition at line 1478 of file x509.c.

1480  {
1481  struct sockaddr sa;
1482  sa_family_t family;
1483  const void *address;
1484  int rc;
1485 
1486  /* Determine address family */
1487  if ( raw->len == sizeof ( struct in_addr ) ) {
1488  struct sockaddr_in *sin = ( ( struct sockaddr_in * ) &sa );
1489  family = AF_INET;
1490  address = &sin->sin_addr;
1491  } else if ( raw->len == sizeof ( struct in6_addr ) ) {
1492  struct sockaddr_in6 *sin6 = ( ( struct sockaddr_in6 * ) &sa );
1493  family = AF_INET6;
1494  address = &sin6->sin6_addr;
1495  } else {
1496  DBGC ( cert, "X509 %p \"%s\" has iPAddress with unexpected "
1497  "length %zd\n", cert, x509_name ( cert ), raw->len );
1498  DBGC_HDA ( cert, 0, raw->data, raw->len );
1499  return -EINVAL;
1500  }
1501 
1502  /* Attempt to convert name to a socket address */
1503  if ( ( rc = sock_aton ( name, &sa ) ) != 0 ) {
1504  DBGC2 ( cert, "X509 %p \"%s\" cannot parse \"%s\" as "
1505  "iPAddress: %s\n", cert, x509_name ( cert ), name,
1506  strerror ( rc ) );
1507  return rc;
1508  }
1509  if ( sa.sa_family != family )
1510  return -ENOENT;
1511 
1512  /* Compare addresses */
1513  if ( memcmp ( address, raw->data, raw->len ) != 0 )
1514  return -ENOENT;
1515 
1516  DBGC2 ( cert, "X509 %p \"%s\" found iPAddress match for \"%s\"\n",
1517  cert, x509_name ( cert ), sock_ntoa ( &sa ) );
1518  return 0;
1519 }
#define EINVAL
Invalid argument.
Definition: errno.h:428
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
const char * name
Definition: ath9k_hw.c:1984
#define AF_INET6
IPv6 Internet addresses.
Definition: socket.h:64
uint64_t address
Base address.
Definition: ena.h:24
sa_family_t sa_family
Socket address family.
Definition: socket.h:101
#define DBGC(...)
Definition: compiler.h:505
struct sockaddr_in6 sin6
Definition: syslog.c:58
#define ENOENT
No such file or directory.
Definition: errno.h:514
IPv4 socket address.
Definition: in.h:84
int sock_aton(const char *string, struct sockaddr *sa)
Parse socket address.
Definition: socket.c:59
#define DBGC_HDA(...)
Definition: compiler.h:506
uint16_t sa_family_t
A socket address family.
Definition: socket.h:85
struct sockaddr sa
Definition: syslog.c:55
IP6 address structure.
Definition: in.h:50
Generalized socket address structure.
Definition: socket.h:96
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
IP address structure.
Definition: in.h:41
struct in_addr sin_addr
IPv4 address.
Definition: in.h:100
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
const char * sock_ntoa(struct sockaddr *sa)
Transcribe socket address.
Definition: socket.c:42
#define DBGC2(...)
Definition: compiler.h:522
__be32 raw[7]
Definition: CIB_PRM.h:28
IPv6 socket address.
Definition: in.h:117
struct sockaddr_in sin
Definition: syslog.c:57
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114
#define AF_INET
IPv4 Internet addresses.
Definition: socket.h:63
struct in6_addr sin6_addr
IPv6 address.
Definition: in.h:134

References address, AF_INET, AF_INET6, DBGC, DBGC2, DBGC_HDA, EINVAL, ENOENT, memcmp(), name, raw, rc, sa, sockaddr::sa_family, sin, sin6, sockaddr_in6::sin6_addr, sockaddr_in::sin_addr, sock_aton(), sock_ntoa(), strerror(), and x509_name().

Referenced by x509_check_alt_name().

◆ x509_check_alt_name()

static int x509_check_alt_name ( struct x509_certificate cert,
const struct asn1_cursor raw,
const char *  name 
)
static

Check X.509 certificate alternative name.

Parameters
certX.509 certificate
rawASN.1 cursor
nameName
Return values
rcReturn status code

Definition at line 1529 of file x509.c.

1531  {
1532  struct asn1_cursor alt_name;
1533  unsigned int type;
1534 
1535  /* Enter generalName */
1536  memcpy ( &alt_name, raw, sizeof ( alt_name ) );
1537  type = asn1_type ( &alt_name );
1538  asn1_enter_any ( &alt_name );
1539 
1540  /* Check this name */
1541  switch ( type ) {
1542  case X509_GENERAL_NAME_DNS :
1543  return x509_check_dnsname ( cert, &alt_name, name );
1544  case X509_GENERAL_NAME_IP :
1545  return x509_check_ipaddress ( cert, &alt_name, name );
1546  default:
1547  DBGC2 ( cert, "X509 %p \"%s\" unknown name of type %#02x:\n",
1548  cert, x509_name ( cert ), type );
1549  DBGC2_HDA ( cert, 0, alt_name.data, alt_name.len );
1550  return -ENOTSUP;
1551  }
1552 }
const char * name
Definition: ath9k_hw.c:1984
uint32_t type
Operating system type.
Definition: ena.h:12
static unsigned int asn1_type(const struct asn1_cursor *cursor)
Extract ASN.1 type.
Definition: asn1.h:446
#define ENOTSUP
Operation not supported.
Definition: errno.h:589
void * memcpy(void *dest, const void *src, size_t len) __nonnull
static int x509_check_dnsname(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative dNSName.
Definition: x509.c:1437
#define DBGC2_HDA(...)
Definition: compiler.h:523
int asn1_enter_any(struct asn1_cursor *cursor)
Enter ASN.1 object of any type.
Definition: asn1.c:303
static int x509_check_ipaddress(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative iPAddress.
Definition: x509.c:1478
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
#define DBGC2(...)
Definition: compiler.h:522
__be32 raw[7]
Definition: CIB_PRM.h:28
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter_any(), asn1_type(), asn1_cursor::data, DBGC2, DBGC2_HDA, ENOTSUP, asn1_cursor::len, memcpy(), name, raw, type, x509_check_dnsname(), x509_check_ipaddress(), X509_GENERAL_NAME_DNS, X509_GENERAL_NAME_IP, and x509_name().

Referenced by x509_check_name().

◆ x509_check_name()

int x509_check_name ( struct x509_certificate cert,
const char *  name 
)

Check X.509 certificate name.

Parameters
certX.509 certificate
nameName
Return values
rcReturn status code

Definition at line 1561 of file x509.c.

1561  {
1562  struct asn1_cursor *common_name = &cert->subject.common_name;
1563  struct asn1_cursor alt_name;
1564  int rc;
1565 
1566  /* Check commonName */
1567  if ( x509_check_dnsname ( cert, common_name, name ) == 0 ) {
1568  DBGC2 ( cert, "X509 %p \"%s\" commonName matches \"%s\"\n",
1569  cert, x509_name ( cert ), name );
1570  return 0;
1571  }
1572 
1573  /* Check any subjectAlternativeNames */
1574  memcpy ( &alt_name, &cert->extensions.alt_name.names,
1575  sizeof ( alt_name ) );
1576  for ( ; alt_name.len ; asn1_skip_any ( &alt_name ) ) {
1577  if ( ( rc = x509_check_alt_name ( cert, &alt_name,
1578  name ) ) == 0 ) {
1579  DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches "
1580  "\"%s\"\n", cert, x509_name ( cert ), name );
1581  return 0;
1582  }
1583  }
1584 
1585  DBGC ( cert, "X509 %p \"%s\" does not match name \"%s\"\n",
1586  cert, x509_name ( cert ), name );
1587  return -EACCES_WRONG_NAME;
1588 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
const char * name
Definition: ath9k_hw.c:1984
struct asn1_cursor names
Names.
Definition: x509.h:145
static int x509_check_alt_name(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative name.
Definition: x509.c:1529
#define DBGC(...)
Definition: compiler.h:505
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:313
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define EACCES_WRONG_NAME
Definition: x509.c:118
static int x509_check_dnsname(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative dNSName.
Definition: x509.c:1437
struct x509_subject subject
Subject.
Definition: x509.h:244
struct asn1_cursor common_name
Common name.
Definition: x509.h:63
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
struct x509_subject_alt_name alt_name
Subject alternative name.
Definition: x509.h:166
#define DBGC2(...)
Definition: compiler.h:522
An ASN.1 object cursor.
Definition: asn1.h:20
struct x509_extensions extensions
Extensions.
Definition: x509.h:248

References x509_extensions::alt_name, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, EACCES_WRONG_NAME, x509_certificate::extensions, asn1_cursor::len, memcpy(), name, x509_subject_alt_name::names, rc, x509_certificate::subject, x509_check_alt_name(), x509_check_dnsname(), and x509_name().

Referenced by cert_exec(), cms_verify(), tls_validator_done(), x509_check_name_fail_okx(), and x509_check_name_okx().

◆ x509_free_chain()

static void x509_free_chain ( struct refcnt refcnt)
static

Free X.509 certificate chain.

Parameters
refcntReference count

Definition at line 1595 of file x509.c.

1595  {
1596  struct x509_chain *chain =
1597  container_of ( refcnt, struct x509_chain, refcnt );
1598 
1599  DBGC2 ( chain, "X509 chain %p freed\n", chain );
1600 
1601  /* Free chain */
1602  x509_truncate ( chain, NULL );
1603  assert ( list_empty ( &chain->links ) );
1604  free ( chain );
1605 }
struct list_head links
List of links.
Definition: x509.h:204
void x509_truncate(struct x509_chain *chain, struct x509_link *link)
Truncate X.509 certificate chain.
Definition: x509.c:1690
A reference counter.
Definition: refcnt.h:26
#define list_empty(list)
Test whether a list is empty.
Definition: list.h:136
An X.509 certificate chain.
Definition: x509.h:200
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
#define container_of(ptr, type, field)
Get containing structure.
Definition: stddef.h:35
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
#define DBGC2(...)
Definition: compiler.h:522
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References assert(), container_of, DBGC2, free, x509_chain::links, list_empty, NULL, and x509_truncate().

Referenced by x509_alloc_chain().

◆ x509_alloc_chain()

struct x509_chain* x509_alloc_chain ( void  )

Allocate X.509 certificate chain.

Return values
chainX.509 certificate chain, or NULL

Definition at line 1612 of file x509.c.

1612  {
1613  struct x509_chain *chain;
1614 
1615  /* Allocate chain */
1616  chain = zalloc ( sizeof ( *chain ) );
1617  if ( ! chain )
1618  return NULL;
1619 
1620  /* Initialise chain */
1621  ref_init ( &chain->refcnt, x509_free_chain );
1622  INIT_LIST_HEAD ( &chain->links );
1623 
1624  DBGC2 ( chain, "X509 chain %p allocated\n", chain );
1625  return chain;
1626 }
struct list_head links
List of links.
Definition: x509.h:204
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
static void x509_free_chain(struct refcnt *refcnt)
Free X.509 certificate chain.
Definition: x509.c:1595
An X.509 certificate chain.
Definition: x509.h:200
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition: list.h:45
#define DBGC2(...)
Definition: compiler.h:522
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
struct refcnt refcnt
Reference count.
Definition: x509.h:202

References DBGC2, INIT_LIST_HEAD, x509_chain::links, NULL, ref_init, x509_chain::refcnt, x509_free_chain(), and zalloc().

Referenced by cms_parse_participants(), cms_parse_signed(), tls_new_certificate_request(), tls_parse_chain(), validator_append(), and x509_chain_okx().

◆ x509_append()

int x509_append ( struct x509_chain chain,
struct x509_certificate cert 
)

Append X.509 certificate to X.509 certificate chain.

Parameters
chainX.509 certificate chain
certX.509 certificate
Return values
rcReturn status code

Definition at line 1635 of file x509.c.

1635  {
1636  struct x509_link *link;
1637 
1638  /* Allocate link */
1639  link = zalloc ( sizeof ( *link ) );
1640  if ( ! link )
1641  return -ENOMEM;
1642 
1643  /* Add link to chain */
1644  link->cert = x509_get ( cert );
1645  list_add_tail ( &link->list, &chain->links );
1646  DBGC ( chain, "X509 chain %p added X509 %p \"%s\"\n",
1647  chain, cert, x509_name ( cert ) );
1648 
1649  return 0;
1650 }
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:266
struct list_head links
List of links.
Definition: x509.h:204
#define DBGC(...)
Definition: compiler.h:505
#define ENOMEM
Not enough space.
Definition: errno.h:534
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
Definition: list.h:93
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146

References x509_link::cert, DBGC, ENOMEM, link, x509_chain::links, list_add_tail, x509_get(), x509_name(), and zalloc().

Referenced by cms_parse_identifier(), tls_new_certificate_request(), x509_append_raw(), x509_auto_append(), and x509_chain_okx().

◆ x509_append_raw()

int x509_append_raw ( struct x509_chain chain,
const void *  data,
size_t  len 
)

Append X.509 certificate to X.509 certificate chain.

Parameters
chainX.509 certificate chain
dataRaw certificate data
lenLength of raw data
Return values
rcReturn status code

Definition at line 1660 of file x509.c.

1661  {
1662  struct x509_certificate *cert;
1663  int rc;
1664 
1665  /* Parse certificate */
1666  if ( ( rc = x509_certificate ( data, len, &cert ) ) != 0 )
1667  goto err_parse;
1668 
1669  /* Append certificate to chain */
1670  if ( ( rc = x509_append ( chain, cert ) ) != 0 )
1671  goto err_append;
1672 
1673  /* Drop reference to certificate */
1674  x509_put ( cert );
1675 
1676  return 0;
1677 
1678  err_append:
1679  x509_put ( cert );
1680  err_parse:
1681  return rc;
1682 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1635
An X.509 certificate.
Definition: x509.h:215
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:277
uint8_t data[48]
Additional event data.
Definition: ena.h:22
uint32_t len
Length.
Definition: ena.h:14

References data, len, rc, x509_append(), and x509_put().

Referenced by cms_parse_certificates(), tls_parse_chain(), and validator_append().

◆ x509_truncate()

void x509_truncate ( struct x509_chain chain,
struct x509_link link 
)

Truncate X.509 certificate chain.

Parameters
chainX.509 certificate chain
linkLink after which to truncate chain, or NULL

Definition at line 1690 of file x509.c.

1690  {
1691  struct x509_link *tmp;
1692 
1693  /* Truncate entire chain if no link is specified */
1694  if ( ! link )
1695  link = list_entry ( &chain->links, struct x509_link, list );
1696 
1697  /* Free each link in the chain */
1699  x509_put ( link->cert );
1700  list_del ( &link->list );
1701  free ( link );
1702  }
1703 }
struct list_head links
List of links.
Definition: x509.h:204
unsigned long tmp
Definition: linux_pci.h:63
#define list_del(list)
Delete an entry from a list.
Definition: list.h:119
#define list_for_each_entry_safe_continue(pos, tmp, head, member)
Iterate over subsequent entries in a list, safe against deletion.
Definition: list.h:500
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:277
#define list_entry(list, type, member)
Get the container of a list entry.
Definition: list.h:321

References free, link, x509_chain::links, x509_link::list, list_del, list_entry, list_for_each_entry_safe_continue, tmp, and x509_put().

Referenced by validator_append(), x509_free_chain(), and x509_test_exec().

◆ x509_found()

static struct x509_certificate* x509_found ( struct x509_chain store,
struct x509_certificate cert 
)
static

Mark X.509 certificate as found.

Parameters
storeCertificate store
certX.509 certificate
Return values
certX.509 certificate

Definition at line 1712 of file x509.c.

1713  {
1714 
1715  /* Sanity check */
1716  assert ( store != NULL );
1717 
1718  /* Mark as found, if applicable */
1719  if ( store->found )
1720  store->found ( store, cert );
1721 
1722  return cert;
1723 }
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
void(* found)(struct x509_chain *store, struct x509_certificate *cert)
Mark certificate as found.
Definition: x509.h:210
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References assert(), NULL, and x509_certificate::store.

Referenced by x509_find(), x509_find_issuer_serial(), x509_find_key(), and x509_find_subject().

◆ x509_find()

struct x509_certificate* x509_find ( struct x509_chain store,
const struct asn1_cursor raw 
)

Identify X.509 certificate by raw certificate data.

Parameters
storeCertificate store, or NULL to use default
rawRaw certificate data
Return values
certX.509 certificate, or NULL if not found

Definition at line 1732 of file x509.c.

1733  {
1734  struct x509_link *link;
1735  struct x509_certificate *cert;
1736 
1737  /* Use default certificate store if none specified */
1738  if ( ! store )
1739  store = &certstore;
1740 
1741  /* Search for certificate within store */
1742  list_for_each_entry ( link, &store->links, list ) {
1743 
1744  /* Check raw certificate data */
1745  cert = link->cert;
1746  if ( asn1_compare ( raw, &cert->raw ) == 0 )
1747  return x509_found ( store, cert );
1748  }
1749 
1750  return NULL;
1751 }
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:480
struct x509_chain certstore
Certificate store.
Definition: certstore.c:89
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
An X.509 certificate.
Definition: x509.h:215
struct x509_link store
Link in certificate store.
Definition: x509.h:220
__be32 raw[7]
Definition: CIB_PRM.h:28
static struct x509_certificate * x509_found(struct x509_chain *store, struct x509_certificate *cert)
Mark X.509 certificate as found.
Definition: x509.c:1712
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:230
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References asn1_compare(), certstore, link, list_for_each_entry, NULL, raw, x509_certificate::raw, x509_certificate::store, and x509_found().

Referenced by certstore_init(), and x509_certificate().

◆ x509_find_subject()

struct x509_certificate* x509_find_subject ( struct x509_chain store,
const struct asn1_cursor subject 
)

Identify X.509 certificate by subject.

Parameters
storeCertificate store, or NULL to use default
subjectSubject
Return values
certX.509 certificate, or NULL if not found

Definition at line 1761 of file x509.c.

1762  {
1763  struct x509_link *link;
1764  struct x509_certificate *cert;
1765 
1766  /* Use default certificate store if none specified */
1767  if ( ! store )
1768  store = &certstore;
1769 
1770  /* Scan through certificate list */
1771  list_for_each_entry ( link, &store->links, list ) {
1772 
1773  /* Check subject */
1774  cert = link->cert;
1775  if ( asn1_compare ( subject, &cert->subject.raw ) == 0 )
1776  return x509_found ( store, cert );
1777  }
1778 
1779  return NULL;
1780 }
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:480
struct x509_chain certstore
Certificate store.
Definition: certstore.c:89
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
An X.509 certificate.
Definition: x509.h:215
struct x509_subject subject
Subject.
Definition: x509.h:244
struct asn1_cursor raw
Raw subject.
Definition: x509.h:61
struct x509_link store
Link in certificate store.
Definition: x509.h:220
static struct x509_certificate * x509_found(struct x509_chain *store, struct x509_certificate *cert)
Mark X.509 certificate as found.
Definition: x509.c:1712
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References asn1_compare(), certstore, link, list_for_each_entry, NULL, x509_subject::raw, x509_certificate::store, x509_certificate::subject, and x509_found().

Referenced by x509_auto_append().

◆ x509_find_issuer_serial()

struct x509_certificate* x509_find_issuer_serial ( struct x509_chain store,
const struct asn1_cursor issuer,
const struct asn1_cursor serial 
)

Identify X.509 certificate by issuer and serial number.

Parameters
storeCertificate store, or NULL to use default
issuerIssuer
serialSerial number
Return values
certX.509 certificate, or NULL if not found

Definition at line 1791 of file x509.c.

1793  {
1794  struct x509_link *link;
1795  struct x509_certificate *cert;
1796 
1797  /* Use default certificate store if none specified */
1798  if ( ! store )
1799  store = &certstore;
1800 
1801  /* Scan through certificate list */
1802  list_for_each_entry ( link, &store->links, list ) {
1803 
1804  /* Check issuer and serial number */
1805  cert = link->cert;
1806  if ( ( asn1_compare ( issuer, &cert->issuer.raw ) == 0 ) &&
1807  ( asn1_compare ( serial, &cert->serial.raw ) == 0 ) )
1808  return x509_found ( store, cert );
1809  }
1810 
1811  return NULL;
1812 }
struct asn1_cursor raw
Raw issuer.
Definition: x509.h:31
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:480
struct x509_chain certstore
Certificate store.
Definition: certstore.c:89
struct x509_issuer issuer
Issuer.
Definition: x509.h:240
struct asn1_cursor raw
Raw serial number.
Definition: x509.h:25
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
An X.509 certificate.
Definition: x509.h:215
struct x509_serial serial
Serial number.
Definition: x509.h:234
uint64_t serial
Serial number.
Definition: edd.h:30
struct x509_link store
Link in certificate store.
Definition: x509.h:220
static struct x509_certificate * x509_found(struct x509_chain *store, struct x509_certificate *cert)
Mark X.509 certificate as found.
Definition: x509.c:1712
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References asn1_compare(), certstore, x509_certificate::issuer, link, list_for_each_entry, NULL, x509_issuer::raw, x509_serial::raw, serial, x509_certificate::serial, x509_certificate::store, and x509_found().

Referenced by cms_parse_identifier().

◆ x509_find_key()

struct x509_certificate* x509_find_key ( struct x509_chain store,
struct private_key key 
)

Identify X.509 certificate by corresponding public key.

Parameters
storeCertificate store, or NULL to use default
keyPrivate key
Return values
certX.509 certificate, or NULL if not found

Definition at line 1821 of file x509.c.

1822  {
1823  struct x509_link *link;
1824  struct x509_certificate *cert;
1825 
1826  /* Use default certificate store if none specified */
1827  if ( ! store )
1828  store = &certstore;
1829 
1830  /* Scan through certificate list */
1831  list_for_each_entry ( link, &store->links, list ) {
1832 
1833  /* Check public key */
1834  cert = link->cert;
1835  if ( pubkey_match ( cert->signature_algorithm->pubkey,
1836  privkey_cursor ( key ),
1837  &cert->subject.public_key.raw ) == 0 )
1838  return x509_found ( store, cert );
1839  }
1840 
1841  return NULL;
1842 }
struct asn1_cursor raw
Raw public key information.
Definition: x509.h:51
struct x509_chain certstore
Certificate store.
Definition: certstore.c:89
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition: x509.h:238
static int pubkey_match(struct pubkey_algorithm *pubkey, const struct asn1_cursor *private_key, const struct asn1_cursor *public_key)
Definition: crypto.h:301
static struct asn1_cursor * privkey_cursor(struct private_key *key)
Get private key ASN.1 cursor.
Definition: privkey.h:52
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition: asn1.h:372
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
struct x509_public_key public_key
Public key information.
Definition: x509.h:65
An X.509 certificate.
Definition: x509.h:215
struct x509_subject subject
Subject.
Definition: x509.h:244
struct x509_link store
Link in certificate store.
Definition: x509.h:220
static struct x509_certificate * x509_found(struct x509_chain *store, struct x509_certificate *cert)
Mark X.509 certificate as found.
Definition: x509.c:1712
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
union @383 key
Sense key.
Definition: scsi.h:18

References certstore, key, link, list_for_each_entry, NULL, privkey_cursor(), asn1_algorithm::pubkey, pubkey_match(), x509_subject::public_key, x509_public_key::raw, x509_certificate::signature_algorithm, x509_certificate::store, x509_certificate::subject, and x509_found().

Referenced by cms_keypair_okx(), cms_recipient(), and tls_new_certificate_request().

◆ x509_auto_append()

int x509_auto_append ( struct x509_chain chain,
struct x509_chain store 
)

Append X.509 certificates to X.509 certificate chain.

Parameters
chainX.509 certificate chain
storeCertificate store, or NULL to use default
Return values
rcReturn status code

Certificates will be automatically appended to the chain based upon the subject and issuer names.

Definition at line 1854 of file x509.c.

1854  {
1855  struct x509_certificate *cert;
1856  struct x509_certificate *previous;
1857  int rc;
1858 
1859  /* Get current certificate */
1860  cert = x509_last ( chain );
1861  if ( ! cert ) {
1862  DBGC ( chain, "X509 chain %p has no certificates\n", chain );
1863  return -EACCES_EMPTY;
1864  }
1865 
1866  /* Append certificates, in order */
1867  while ( 1 ) {
1868 
1869  /* Find issuing certificate */
1870  previous = cert;
1871  cert = x509_find_subject ( store, &cert->issuer.raw );
1872  if ( ! cert )
1873  break;
1874  if ( cert == previous )
1875  break;
1876 
1877  /* Append certificate to chain */
1878  if ( ( rc = x509_append ( chain, cert ) ) != 0 )
1879  return rc;
1880  }
1881 
1882  return 0;
1883 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct asn1_cursor raw
Raw issuer.
Definition: x509.h:31
#define EACCES_EMPTY
Definition: x509.c:110
struct x509_issuer issuer
Issuer.
Definition: x509.h:240
#define DBGC(...)
Definition: compiler.h:505
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1635
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition: x509.h:324
An X.509 certificate.
Definition: x509.h:215
struct x509_certificate * x509_find_subject(struct x509_chain *store, const struct asn1_cursor *subject)
Identify X.509 certificate by subject.
Definition: x509.c:1761
struct x509_link store
Link in certificate store.
Definition: x509.h:220

References DBGC, EACCES_EMPTY, x509_certificate::issuer, x509_issuer::raw, rc, x509_certificate::store, x509_append(), x509_find_subject(), and x509_last().

Referenced by cms_parse_identifier(), tls_new_certificate_request(), validator_append(), and x509_validate_chain().

◆ x509_validate_chain()

int x509_validate_chain ( struct x509_chain chain,
time_t  time,
struct x509_chain store,
struct x509_root root 
)

Validate X.509 certificate chain.

Parameters
chainX.509 certificate chain
timeTime at which to validate certificates
storeCertificate store, or NULL to use default
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

Definition at line 1894 of file x509.c.

1895  {
1896  struct x509_certificate *issuer = NULL;
1897  struct x509_link *link;
1898  int rc;
1899 
1900  /* Append any applicable certificates from the certificate store */
1901  if ( ( rc = x509_auto_append ( chain, store ) ) != 0 )
1902  return rc;
1903 
1904  /* Find first certificate that can be validated as a
1905  * standalone (i.e. is already valid, or can be validated as
1906  * a trusted root certificate).
1907  */
1908  list_for_each_entry ( link, &chain->links, list ) {
1909 
1910  /* Try validating this certificate as a standalone */
1911  if ( ( rc = x509_validate ( link->cert, NULL, time,
1912  root ) ) != 0 )
1913  continue;
1914 
1915  /* Work back up to start of chain, performing pairwise
1916  * validation.
1917  */
1918  issuer = link->cert;
1920  list ) {
1921 
1922  /* Validate this certificate against its issuer */
1923  if ( ( rc = x509_validate ( link->cert, issuer, time,
1924  root ) ) != 0 )
1925  return rc;
1926  issuer = link->cert;
1927  }
1928 
1929  return 0;
1930  }
1931 
1932  DBGC ( chain, "X509 chain %p found no usable certificates\n", chain );
1933  return -EACCES_USELESS;
1934 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct stp_switch root
Root switch.
Definition: stp.h:26
struct list_head links
List of links.
Definition: x509.h:204
struct x509_issuer issuer
Issuer.
Definition: x509.h:240
#define DBGC(...)
Definition: compiler.h:505
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
int x509_validate(struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
Validate X.509 certificate.
Definition: x509.c:1363
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
int x509_auto_append(struct x509_chain *chain, struct x509_chain *store)
Append X.509 certificates to X.509 certificate chain.
Definition: x509.c:1854
An X.509 certificate.
Definition: x509.h:215
#define list_for_each_entry_continue_reverse(pos, head, member)
Iterate over entries in a list in reverse, starting after current position.
Definition: list.h:486
#define EACCES_USELESS
Definition: x509.c:122
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References DBGC, EACCES_USELESS, x509_certificate::issuer, link, x509_chain::links, x509_link::list, list_for_each_entry, list_for_each_entry_continue_reverse, NULL, rc, root, x509_auto_append(), and x509_validate().

Referenced by cms_verify_signer(), validator_step(), x509_validate_chain_fail_okx(), and x509_validate_chain_okx().

◆ image_x509()

int image_x509 ( struct image image,
size_t  offset,
struct x509_certificate **  cert 
)

Extract X.509 certificate object from image.

Parameters
imageImage
offsetOffset within image
Return values
certX.509 certificate
nextOffset to next image, or negative error

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1947 of file x509.c.

1948  {
1949  struct asn1_cursor *cursor;
1950  int next;
1951  int rc;
1952 
1953  /* Get ASN.1 object */
1954  next = image_asn1 ( image, offset, &cursor );
1955  if ( next < 0 ) {
1956  rc = next;
1957  goto err_asn1;
1958  }
1959 
1960  /* Parse certificate */
1961  if ( ( rc = x509_certificate ( cursor->data, cursor->len,
1962  cert ) ) != 0 )
1963  goto err_certificate;
1964 
1965  /* Free ASN.1 object */
1966  free ( cursor );
1967 
1968  return next;
1969 
1970  x509_put ( *cert );
1971  err_certificate:
1972  free ( cursor );
1973  err_asn1:
1974  return rc;
1975 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
uint32_t next
Next descriptor address.
Definition: myson.h:18
const void * data
Start of data.
Definition: asn1.h:22
int image_asn1(struct image *image, size_t offset, struct asn1_cursor **cursor)
Extract ASN.1 object from image.
Definition: asn1.c:1002
An executable image.
Definition: image.h:24
size_t len
Length of data.
Definition: asn1.h:24
An X.509 certificate.
Definition: x509.h:215
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:277
uint16_t offset
Offset to command line.
Definition: bzimage.h:8
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_cursor::data, free, image_asn1(), asn1_cursor::len, next, offset, rc, and x509_put().

Referenced by cert_exec().

◆ REQUIRING_SYMBOL()

REQUIRING_SYMBOL ( x509_validate  )

◆ REQUIRE_OBJECT() [1/2]

REQUIRE_OBJECT ( certstore  )

◆ REQUIRE_OBJECT() [2/2]

REQUIRE_OBJECT ( config_crypto  )

Variable Documentation

◆ oid_common_name

uint8_t oid_common_name[] = { ASN1_OID_COMMON_NAME }
static

"commonName" object identifier

Definition at line 170 of file x509.c.

◆ oid_common_name_cursor

struct asn1_cursor oid_common_name_cursor
static
Initial value:
=
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
Definition: asn1.h:360
static uint8_t oid_common_name[]
"commonName" object identifier
Definition: x509.c:170

"commonName" object identifier cursor

Definition at line 173 of file x509.c.

Referenced by x509_parse_common_name().

◆ oid_code_signing

uint8_t oid_code_signing[] = { ASN1_OID_CODESIGNING }
static

"id-kp-codeSigning" object identifier

Definition at line 531 of file x509.c.

◆ oid_ocsp_signing

uint8_t oid_ocsp_signing[] = { ASN1_OID_OCSPSIGNING }
static

"id-kp-OCSPSigning" object identifier

Definition at line 534 of file x509.c.

◆ x509_key_purposes

struct x509_key_purpose x509_key_purposes[]
static
Initial value:
= {
{
.name = "codeSigning",
},
{
.name = "ocspSigning",
},
}
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
Definition: asn1.h:360
static uint8_t oid_code_signing[]
"id-kp-codeSigning" object identifier
Definition: x509.c:531
static uint8_t oid_ocsp_signing[]
"id-kp-OCSPSigning" object identifier
Definition: x509.c:534

Supported key purposes.

Definition at line 537 of file x509.c.

Referenced by x509_parse_key_purpose().

◆ oid_ad_ocsp

uint8_t oid_ad_ocsp[] = { ASN1_OID_OCSP }
static

"id-ad-ocsp" object identifier

Definition at line 643 of file x509.c.

◆ x509_access_methods

struct x509_access_method x509_access_methods[]
static
Initial value:
= {
{
.name = "OCSP",
.parse = x509_parse_ocsp,
},
}
static int x509_parse_ocsp(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate OCSP access method.
Definition: x509.c:622
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
Definition: asn1.h:360
static uint8_t oid_ad_ocsp[]
"id-ad-ocsp" object identifier
Definition: x509.c:643

Supported access methods.

Definition at line 646 of file x509.c.

Referenced by x509_find_access_method().

◆ oid_ce_basic_constraints

uint8_t oid_ce_basic_constraints[]
static
Initial value:
=
#define ASN1_OID_BASICCONSTRAINTS
ASN.1 OID for id-ce-basicConstraints (2.5.29.19)
Definition: asn1.h:290

"id-ce-basicConstraints" object identifier

Definition at line 763 of file x509.c.

◆ oid_ce_key_usage

uint8_t oid_ce_key_usage[]
static
Initial value:
=
#define ASN1_OID_KEYUSAGE
ASN.1 OID for id-ce-keyUsage (2.5.29.15)
Definition: asn1.h:285

"id-ce-keyUsage" object identifier

Definition at line 767 of file x509.c.

◆ oid_ce_ext_key_usage

uint8_t oid_ce_ext_key_usage[]
static
Initial value:
=
#define ASN1_OID_EXTKEYUSAGE
ASN.1 OID for id-ce-extKeyUsage (2.5.29.37)
Definition: asn1.h:295

"id-ce-extKeyUsage" object identifier

Definition at line 771 of file x509.c.

◆ oid_pe_authority_info_access

uint8_t oid_pe_authority_info_access[]
static
Initial value:
=
#define ASN1_OID_AUTHORITYINFOACCESS
ASN.1 OID for id-pe-authorityInfoAccess (1.3.6.1.5.5.7.1.1)
Definition: asn1.h:326

"id-pe-authorityInfoAccess" object identifier

Definition at line 775 of file x509.c.

◆ oid_ce_subject_alt_name

uint8_t oid_ce_subject_alt_name[]
static
Initial value:
=
#define ASN1_OID_SUBJECTALTNAME
ASN.1 OID for id-ce-subjectAltName (2.5.29.17)
Definition: asn1.h:355

"id-ce-subjectAltName" object identifier

Definition at line 779 of file x509.c.

◆ x509_extensions

Initial value:
= {
{
.name = "basicConstraints",
},
{
.name = "keyUsage",
},
{
.name = "extKeyUsage",
},
{
.name = "authorityInfoAccess",
},
{
.name = "subjectAltName",
},
}
static int x509_parse_key_usage(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate key usage.
Definition: x509.c:498
static uint8_t oid_ce_basic_constraints[]
"id-ce-basicConstraints" object identifier
Definition: x509.c:763
static int x509_parse_basic_constraints(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate basic constraints.
Definition: x509.c:436
static int x509_parse_extended_key_usage(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extended key usage.
Definition: x509.c:596
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
Definition: asn1.h:360
static uint8_t oid_ce_subject_alt_name[]
"id-ce-subjectAltName" object identifier
Definition: x509.c:779
static uint8_t oid_pe_authority_info_access[]
"id-pe-authorityInfoAccess" object identifier
Definition: x509.c:775
static int x509_parse_subject_alt_name(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate subject alternative name.
Definition: x509.c:742
static int x509_parse_authority_info_access(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate authority information access.
Definition: x509.c:715
static uint8_t oid_ce_key_usage[]
"id-ce-keyUsage" object identifier
Definition: x509.c:767
static uint8_t oid_ce_ext_key_usage[]
"id-ce-extKeyUsage" object identifier
Definition: x509.c:771

Supported certificate extensions.

Definition at line 783 of file x509.c.

Referenced by x509_find_extension().